Post

HackTheBox Metagaming Challenge

Posted
By x3ric
6 min read

Explore the basics of cybersecurity in the Metagaming Challenge on Hack The Box. This medium-level Challenge introduces encryption reversal and file handling concepts in a clear and accessible way, perfect for beginners.

https://app.hackthebox.com/challenges/695

Description

You come across an enemy faction, who have banded together and gathered their resources. You’ll need to outwit them, thinking outside the box - can you beat them before they even begin to run?

Exploitation

1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44

#!/usr/bin/env python3
from z3 import *

s = Solver()
flag = [BitVec(f'flag_{i}', 32) for i in range(40)]
for i in range(len(flag)):
    s.add(flag[i] >= 33)
    s.add(flag[i] <= 127)
payload = 'lIlIIIIl(8, 0, 2769503260), lIlIIIIl(10, 0, 997841014), lIlIIIIl(19, 12, 11), lIlIIIIl(2, 0, 4065997671), lIlIIIIl(5, 13, 11), lIlIIIIl(8, 0, 690011675), lIlIIIIl(15, 11, 11), lIlIIIIl(8, 0, 540576667), lIlIIIIl(2, 0, 1618285201), lIlIIIIl(8, 0, 1123989331), lIlIIIIl(8, 0, 1914950564), lIlIIIIl(8, 0, 4213669998), lIlIIIIl(21, 13, 11), lIlIIIIl(8, 0, 1529621790), lIlIIIIl(10, 0, 865446746), lIlIIIIl(2, 10, 11), lIlIIIIl(8, 0, 449019059), lIlIIIIl(16, 13, 11), lIlIIIIl(8, 0, 906976959), lIlIIIIl(6, 10, 10), lIlIIIIl(8, 0, 892028723), lIlIIIIl(10, 0, 1040131328), lIlIIIIl(2, 0, 3854135066), lIlIIIIl(2, 0, 4133925041), lIlIIIIl(2, 0, 1738396966), lIlIIIIl(2, 12, 12), lIlIIIIl(8, 0, 550277338), lIlIIIIl(10, 0, 1043160697), lIlIIIIl(2, 1, 1176768057), lIlIIIIl(10, 1, 2368952475), lIlIIIIl(8, 12, 11), lIlIIIIl(2, 1, 2826144967), lIlIIIIl(8, 1, 1275301297), lIlIIIIl(10, 1, 2955899422), lIlIIIIl(2, 1, 2241699318), lIlIIIIl(12, 11, 10), lIlIIIIl(8, 1, 537794314), lIlIIIIl(11, 13, 10), lIlIIIIl(8, 1, 473021534), lIlIIIIl(17, 12, 13), lIlIIIIl(8, 1, 2381227371), lIlIIIIl(10, 1, 3973380876), lIlIIIIl(10, 1, 1728990628), lIlIIIIl(6, 11, 13), lIlIIIIl(8, 1, 2974252696), lIlIIIIl(0, 11, 11), lIlIIIIl(8, 1, 1912236055), lIlIIIIl(2, 1, 3620744853), lIlIIIIl(3, 10, 13), lIlIIIIl(2, 1, 2628426447), lIlIIIIl(11, 13, 12), lIlIIIIl(10, 1, 486914414), lIlIIIIl(16, 11, 12), lIlIIIIl(10, 1, 1187047173), lIlIIIIl(14, 12, 11), lIlIIIIl(2, 2, 3103274804), lIlIIIIl(13, 10, 10), lIlIIIIl(8, 2, 3320200805), lIlIIIIl(8, 2, 3846589389), lIlIIIIl(1, 13, 13), lIlIIIIl(2, 2, 2724573159), lIlIIIIl(10, 2, 1483327425), lIlIIIIl(2, 2, 1957985324), lIlIIIIl(14, 13, 12), lIlIIIIl(10, 2, 1467602691), lIlIIIIl(8, 2, 3142557962), lIlIIIIl(2, 13, 12), lIlIIIIl(2, 2, 2525769395), lIlIIIIl(8, 2, 3681119483), lIlIIIIl(8, 12, 11), lIlIIIIl(10, 2, 1041439413), lIlIIIIl(10, 2, 1042206298), lIlIIIIl(2, 2, 527001246), lIlIIIIl(20, 10, 13), lIlIIIIl(10, 2, 855860613), lIlIIIIl(8, 10, 10), lIlIIIIl(8, 2, 1865979270), lIlIIIIl(1, 13, 10), lIlIIIIl(8, 2, 2752636085), lIlIIIIl(2, 2, 1389650363), lIlIIIIl(10, 2, 2721642985), lIlIIIIl(18, 10, 11), lIlIIIIl(8, 2, 3276518041), lIlIIIIl(15, 10, 10), lIlIIIIl(2, 2, 1965130376), lIlIIIIl(2, 3, 3557111558), lIlIIIIl(2, 3, 3031574352), lIlIIIIl(16, 12, 10), lIlIIIIl(10, 3, 4226755821), lIlIIIIl(8, 3, 2624879637), lIlIIIIl(8, 3, 1381275708), lIlIIIIl(2, 3, 3310620882), lIlIIIIl(2, 3, 2475591380), lIlIIIIl(8, 3, 405408383), lIlIIIIl(2, 3, 2291319543), lIlIIIIl(0, 12, 12), lIlIIIIl(8, 3, 4144538489), lIlIIIIl(2, 3, 3878256896), lIlIIIIl(6, 11, 10), lIlIIIIl(10, 3, 2243529248), lIlIIIIl(10, 3, 561931268), lIlIIIIl(11, 11, 12), lIlIIIIl(10, 3, 3076955709), lIlIIIIl(18, 12, 13), lIlIIIIl(8, 3, 2019584073), lIlIIIIl(10, 13, 12), lIlIIIIl(8, 3, 1712479912), lIlIIIIl(18, 11, 11), lIlIIIIl(2, 3, 2804447380), lIlIIIIl(17, 10, 10), lIlIIIIl(10, 3, 2957126100), lIlIIIIl(18, 13, 13), lIlIIIIl(8, 3, 1368187437), lIlIIIIl(17, 10, 12), lIlIIIIl(8, 3, 3586129298), lIlIIIIl(10, 4, 1229526732), lIlIIIIl(19, 11, 11), lIlIIIIl(10, 4, 2759768797), lIlIIIIl(1, 10, 13), lIlIIIIl(2, 4, 2112449396), lIlIIIIl(10, 4, 1212917601), lIlIIIIl(2, 4, 1524771736), lIlIIIIl(8, 4, 3146530277), lIlIIIIl(2, 4, 2997906889), lIlIIIIl(16, 12, 10), lIlIIIIl(8, 4, 4135691751), lIlIIIIl(8, 4, 1960868242), lIlIIIIl(6, 12, 12), lIlIIIIl(10, 4, 2775657353), lIlIIIIl(16, 10, 13), lIlIIIIl(8, 4, 1451259226), lIlIIIIl(8, 4, 607382171), lIlIIIIl(13, 13, 13), lIlIIIIl(10, 4, 357643050), lIlIIIIl(2, 4, 2020402776), lIlIIIIl(8, 5, 2408165152), lIlIIIIl(13, 12, 10), lIlIIIIl(2, 5, 806913563), lIlIIIIl(10, 5, 772591592), lIlIIIIl(20, 13, 11), lIlIIIIl(2, 5, 2211018781), lIlIIIIl(10, 5, 2523354879), lIlIIIIl(8, 5, 2549720391), lIlIIIIl(2, 5, 3908178996), lIlIIIIl(2, 5, 1299171929), lIlIIIIl(8, 5, 512513885), lIlIIIIl(10, 5, 2617924552), lIlIIIIl(1, 12, 13), lIlIIIIl(8, 5, 390960442), lIlIIIIl(12, 11, 13), lIlIIIIl(8, 5, 1248271133), lIlIIIIl(8, 5, 2114382155), lIlIIIIl(1, 10, 13), lIlIIIIl(10, 5, 2078863299), lIlIIIIl(20, 12, 12), lIlIIIIl(8, 5, 2857504053), lIlIIIIl(10, 5, 4271947727), lIlIIIIl(2, 6, 2238126367), lIlIIIIl(2, 6, 1544827193), lIlIIIIl(8, 6, 4094800187), lIlIIIIl(2, 6, 3461906189), lIlIIIIl(10, 6, 1812592759), lIlIIIIl(2, 6, 1506702473), lIlIIIIl(8, 6, 536175198), lIlIIIIl(2, 6, 1303821297), lIlIIIIl(8, 6, 715409343), lIlIIIIl(2, 6, 4094566992), lIlIIIIl(14, 10, 11), lIlIIIIl(2, 6, 1890141105), lIlIIIIl(0, 13, 13), lIlIIIIl(2, 6, 3143319360), lIlIIIIl(10, 7, 696930856), lIlIIIIl(2, 7, 926450200), lIlIIIIl(8, 7, 352056373), lIlIIIIl(20, 13, 11), lIlIIIIl(10, 7, 3857703071), lIlIIIIl(8, 7, 3212660135), lIlIIIIl(5, 12, 10), lIlIIIIl(10, 7, 3854876250), lIlIIIIl(21, 12, 11), lIlIIIIl(8, 7, 3648688720), lIlIIIIl(2, 7, 2732629817), lIlIIIIl(4, 10, 12), lIlIIIIl(10, 7, 2285138643), lIlIIIIl(18, 10, 13), lIlIIIIl(2, 7, 2255852466), lIlIIIIl(2, 7, 2537336944), lIlIIIIl(3, 10, 13), lIlIIIIl(2, 7, 4257606405), lIlIIIIl(10, 8, 3703184638), lIlIIIIl(7, 11, 10), lIlIIIIl(10, 8, 2165056562), lIlIIIIl(8, 8, 2217220568), lIlIIIIl(19, 10, 12), lIlIIIIl(8, 8, 2088084496), lIlIIIIl(15, 13, 10), lIlIIIIl(8, 8, 443074220), lIlIIIIl(16, 13, 12), lIlIIIIl(10, 8, 1298336973), lIlIIIIl(2, 13, 11), lIlIIIIl(8, 8, 822378456), lIlIIIIl(19, 11, 12), lIlIIIIl(8, 8, 2154711985), lIlIIIIl(0, 11, 12), lIlIIIIl(10, 8, 430757325), lIlIIIIl(2, 12, 10), lIlIIIIl(2, 8, 2521672196), lIlIIIIl(10, 9, 532704100), lIlIIIIl(10, 9, 2519542932), lIlIIIIl(2, 9, 2451309277), lIlIIIIl(2, 9, 3957445476), lIlIIIIl(5, 10, 10), lIlIIIIl(8, 9, 2583554449), lIlIIIIl(10, 9, 1149665327), lIlIIIIl(12, 13, 12), lIlIIIIl(8, 9, 3053959226), lIlIIIIl(0, 10, 10), lIlIIIIl(8, 9, 3693780276), lIlIIIIl(15, 11, 10), lIlIIIIl(2, 9, 609918789), lIlIIIIl(2, 9, 2778221635), lIlIIIIl(16, 13, 10), lIlIIIIl(8, 9, 3133754553), lIlIIIIl(8, 11, 13), lIlIIIIl(8, 9, 3961507338), lIlIIIIl(2, 9, 1829237263), lIlIIIIl(16, 11, 13), lIlIIIIl(2, 9, 2472519933), lIlIIIIl(6, 12, 12), lIlIIIIl(8, 9, 4061630846), lIlIIIIl(10, 9, 1181684786), lIlIIIIl(13, 10, 11), lIlIIIIl(10, 9, 390349075), lIlIIIIl(8, 9, 2883917626), lIlIIIIl(10, 9, 3733394420), lIlIIIIl(10, 12, 12), lIlIIIIl(2, 9, 3895283827), lIlIIIIl(20, 10, 11), lIlIIIIl(2, 9, 2257053750), lIlIIIIl(10, 9, 2770821931), lIlIIIIl(18, 10, 13), lIlIIIIl(2, 9, 477834410), lIlIIIIl(19, 13, 12), lIlIIIIl(3, 0, 1), lIlIIIIl(12, 12, 12), lIlIIIIl(3, 1, 2), lIlIIIIl(11, 13, 11), lIlIIIIl(3, 2, 3), lIlIIIIl(3, 3, 4), lIlIIIIl(3, 4, 5), lIlIIIIl(1, 13, 13), lIlIIIIl(3, 5, 6), lIlIIIIl(7, 11, 11), lIlIIIIl(3, 6, 7), lIlIIIIl(4, 10, 12), lIlIIIIl(3, 7, 8), lIlIIIIl(18, 12, 12), lIlIIIIl(3, 8, 9), lIlIIIIl(21, 12, 10), lIlIIIIl(3, 9, 10)'
payload = payload.split('), ')
payload = [[int(y) for y in x.split('(')[1].split(')')[0].split(', ')] for x in payload]
chunks = [0 for _ in range(15)]
for i in range(len(flag)):
    pos = i % 4
    cur_reg = (i - (i % 4)) // 4
    if pos == 0:
        chunks[cur_reg] = 0
    chunks[cur_reg] |= (flag[i] << (pos * 8))
for cmd in payload:
    opcode, op0, op1 = cmd
    if opcode == 2:
        chunks[op0] ^= BitVecVal(op1, 32)
    elif opcode == 8:
        chunks[op0] += BitVecVal(op1, 32)
    elif opcode == 10:
        chunks[op0] -= BitVecVal(op1, 32)
    elif opcode == 3:
        chunks[op0] ^= chunks[op1]
s.add(chunks[0] == 0x3ee88722)
s.add(chunks[1] == 0xecbdbe2)
s.add(chunks[2] == 0x60b843c4)
s.add(chunks[3] == 0x5da67c7)
s.add(chunks[4] == 0x171ef1e9)
s.add(chunks[5] == 0x52d5b3f7)
s.add(chunks[6] == 0x3ae718c0)
s.add(chunks[7] == 0x8b4aacc2)
s.add(chunks[8] == 0xe5cf78dd)
# s.add(chunks[9] == 0x4a848edf)
if s.check() != sat:
    print('unsat')
    exit()
m = s.model()
fl = ''.join(map(chr, [m[x].as_long() for x in flag]))
print(fl)

Summary

The Metagaming Challenge on Hack The Box is a medium-level challenge that focuses on encryption reversal and file handling. Participants are tasked with solving a series of operations involving bitwise manipulation and decryption to uncover the hidden flag. The challenge introduces the use of z3, a Python library for solving logical constraints, to break down complex byte-level operations. It encourages users to think critically and solve encryption problems by leveraging constraint-solving techniques, making it an excellent exercise for those wanting to strengthen their skills in both reverse engineering and cryptography.

challenge
htb challenge writeup linux rev
This post is licensed under CC BY 4.0 by the author.