https://app.hackthebox.com/challenges/689

Description

The crew has located a dilapidated pre-war bunker. Deep within, a dusty control panel reveals that it was once used for communication with a low-orbit observation satellite. During the war, actors on all sides infiltrated and hacked each others systems and software, inserting backdoors to cripple or take control of critical machinery. It seems like this panel has been tampered with to prevent the control codes necessary to operate the satellite from being transmitted - can you recover the codes and take control of the satellite to locate enemy factions?

Exploitation

reading the code you see tath it reads the env SAT_PROD_ENVIRONRONMENT

and you can extract the memfrob bytearray with gdb if you set the env but this time i will extract the array values “statically”.

memfrob xor 42

data = open('./library.so', 'rb').read()
flag_bytes = []
flag_bytes.extend(data[0x1223:0x122b])
flag_bytes.extend(data[0x122d:0x1235])
flag_bytes.extend(data[0x1241:0x1249])
flag_bytes.extend(data[0x124b:0x1253])
for addr in range(0x1253, 0x1270):
    b = data[addr]
    if b ^ 42 == ord(']'):
        flag_bytes.append(b)
        break
decoded = bytearray(b ^ 42 for b in flag_bytes)
for i in range(len(decoded)):
    decoded[i] ^= i
print("HTB{" + decoded.decode())

Summary

SatelliteHijack: trace the binary, isolate the validation routine, and invert it to recover the flag.