SEPC
Files
Download: rev_sepc.zip
Challenge Description
The premise of this reversing challenge frames the target as an embedded operating system pulled from an intercepted deep-space satellite. The goal is to breach the “secure enclave” and recover the security mechanism that protects their encrypted communications.
SEPC
We've extracted an embedded operating system running on an intercepted deep-space satellitle launched by Arodor. If we can breach the secure enclave and extract their security mechanisms, we can crack their encrypted communications
The intended solution path is to extract the kernel object file and the ELF
binary from initramfs.cpio.gz using gunzip and cpio, locate the encrypted
data along with its XOR algorithm inside checker.ko, and finally XOR the two
buffers together to recover the flag.
Recon
The provided artifact is a gzip-compressed cpio archive (initramfs), the
RAM-based root filesystem an embedded Linux kernel mounts at boot. After
decompressing it with gunzip, the contents are unpacked with cpio in
extract mode, which writes the full directory tree to disk.
cpio -idv < initramfs.cpio
To get a quick map of what lives inside the archive without fully unpacking it,
binwalk is run against the cpio file. It walks the archive and reports each
embedded entry with its offset and file name.
binwalk initramfs.cpio
The output enumerates the standard BusyBox-style usr/sbin and usr/bin
utilities expected in an embedded initramfs. One entry stands out: a file name
that has been abused to smuggle a CyberChef recipe URL, hinting directly at the
XOR-of-hex decoding step needed to solve the challenge.
DECIMAL HEXADECIMAL DESCRIPTION
--------------------------------------------------------------------------------
0 0x0 ASCII cpio archive (SVR4 with no CRC), file name: ".", file name length: "0x00000002", file size: "0x00000000"
112 0x70 ASCII cpio archive (SVR4 with no CRC), file name: "usr", file name length: "0x00000004", file size: "0x00000000"
228 0xE4 ASCII cpio archive (SVR4 with no CRC), file name: "usr/sbin", file name length: "0x00000009", file size: "0x00000000"
348 0x15C ASCII cpio archive (SVR4 with no CRC), file name: "usr/sbin/readahead", file name length: "0x00000013", file size: "0x00000011"
500 0x1F4 ASCII cpio archive (SVR4 with no CRC), file name: "usr/sbin/readprofile", file name length: "0x00000015", file size: "0x00000011"
652 0x28C ASCII cpio archive (SVR4 with no CRC), file name: "usr/sbin/ifplugd", file name length: "0x00000011", file size: "0x00000011"
800 0x320 ASCII cpio archive (SVR4 with no CRC), file name: "usr/sbin/fakeidentd", file name length: "0x00000014", file size: "0x00000011"
952 0x3B8 ASCII cpio archive (SVR4 with no CRC), file name: "usr/sbin/fbset", file name length: "0x0000000F", file size: "0x00000011"
1100 0x44C ASCII cpio archive (SVR4 with no CRC), file name: "usr/sbin/lpd", file name length: "0x0000000D", file size: "0x00000011"
1244 0x4DC ASCII cpio archive (SVR4 with no CRC), file name: "usr/sbin/seedrng", file name length: "0x00000011", file size: "0x00000011"
1392 0x570 ASCII cpio archive (SVR4 with no CRC), file name: "usr/sbin/tftpd", file name length: "0x0000000F", file size: "0x00000011"
1540 0x604 ASCII cpio archive (SVR4 with no CRC), file name: "usr/sbin/ubirmvol", file name length: "0x00000012", file size: "0x00000011"
1688 0x698 ASCII cpio archive (SVR4 with no CRC), file name: "usr/sbin/powertop", file name length: "0x00000012", file size: "0x00000011"
1836 0x72C ASCII cpio archive (SVR4 with no CRC), file name: "usr/sbin/arping", file name length: "0x00000010", file size: "0x00000011"
1984 0x7C0 ASCII cpio archive (SVR4 with no CRC), file name: "usr/sbin/nandwrite", file name length: "0x00000013", file size: "0x00000011"
2136 0x858 ASCII cpio archive (SVR4 with no CRC), file name: "usr/sbin/loadfont", file name length: "0x00000012", file size: "0x00000011"
2284 0x8EC ASCII cpio archive (SVR4 with no CRC), file name: "usr/sbin/ftpd", file name length: "0x0000000E", file size: "0x00000011"
2428 0x97C ASCII cpio archive (SVR4 with no CRC), file name: "usr/sbin/telnetd", file name length: "0x00000011", file size: "0x00000011"
2576 0xA10 ASCII cpio archive (SVR4 with no CRC), file name: "usr/sbin/httpd", file name length: "0x0000000F", file size: "0x00000011"
2724 0xAA4 ASCII cpio archive (SVR4 with no CRC), file name: "usr/sbin/rdate", file name length: "0x0000000F", file size: "0x00000011"
2872 0xB38 ASCII cpio archive (SVR4 with no CRC), file name: "usr/sbin/mim", file name length: "0x0000000D", file size: "0x00000011"
3016 0xBC8 ASCII cpio archive (SVR4 with no CRC), file name: "usr/sbin/fsfreeze", file name length: "0x00000012", file size: "0x00000011"
3164 0xC5C ASCII cpio archive (SVR4 with no CRC), file name: "usr/sbin/ntpd", file name length: "0x0000000E", file size: "0x00000011"
3308 0xCEC ASCII cpio archive (SVR4 with no CRC), file name: "usr/sbin/svlogd", file name length: "0x00000010", file size: "0x00000011"
3456 0xD80 ASCII cpio archive (SVR4 with no CRC), file name: "usr/sbin/partprobe", file name length: "0x00000013", file size: "0x00000011"
3608 0xE18 ASCII cpio archive (SVR4 with no CRC), file name: "usr/sbin/delgroup", file name length: "0x00000012", file size: "0x00000011"
3756 0xEAC ASCII cpio archive (SVR4 with no CRC), file name: "usr/sbin/fdformat", file name length: "0x00000012", file size: "0x00000011"
3904 0xF40 ASCII cpio archive (SVR4 with no CRC), file name: "usr/sbin/ubimkvol", file name length: "0x00000012", file size: "0x00000011"
4052 0xFD4 ASCII cpio archive (SVR4 with no CRC), file name: "usr/sbin/brctl", file name length: "0x0000000F", file size: "0x00000011"
4200 0x1068 ASCII cpio archive (SVR4 with no CRC), file name: "usr/sbin/deluser", file name length: "0x00000011", file size: "0x00000011"
4348 0x10FC ASCII cpio archive (SVR4 with no CRC), file name: "usr/sbin/chroot", file name length: "0x00000010", file size: "0x00000011"
4496 0x1190 ASCII cpio archive (SVR4 with no CRC), file name: "usr/sbin/chpasswd", file name length: "0x00000012", file size: "0x00000011"
4644 0x1224 ASCII cpio archive (SVR4 with no CRC), file name: "usr/sbin/dnsd", file name length: "0x0000000E", file size: "0x00000011"
4788 0x12B4 ASCII cpio archive (SVR4 with no CRC), file name: "usr/sbin/ubirename", file name length: "0x00000013", file size: "0x00000011"
4940 0x134C ASCII cpio archive (SVR4 with no CRC), file name: "usr/sbin/dhcprelay", file name length: "0x00000013", file size: "0x00000011"
5092 0x13E4 ASCII cpio archive (SVR4 with no CRC), file name: "usr/sbin/ubidetach", file name length: "0x00000013", file size: "0x00000011"
5244 0x147C ASCII cpio archive (SVR4 with no CRC), file name: "usr/sbin/ether-wake", file name length: "0x00000014", file size: "0x00000011"
5396 0x1514 ASCII cpio archive (SVR4 with no CRC), file name: "usr/sbin/setfont", file name length: "0x00000011", file size: "0x00000011"
5544 0x15A8 ASCII cpio archive (SVR4 with no CRC), file name: "usr/sbin/killall5", file name length: "0x00000012", file size: "0x00000011"
5692 0x163C ASCII cpio archive (SVR4 with no CRC), file name: "usr/sbin/rtcwake", file name length: "0x00000011", file size: "0x00000011"
5840 0x16D0 ASCII cpio archive (SVR4 with no CRC), file name: "usr/sbin/setlogcons", file name length: "0x00000014", file size: "0x00000011"
5992 0x1768 ASCII cpio archive (SVR4 with no CRC), file name: "usr/sbin/nologin", file name length: "0x00000011", file size: "0x00000011"
6140 0x17FC ASCII cpio archive (SVR4 with no CRC), file name: "usr/sbin/i2ctransfer", file name length: "0x00000015", file size: "0x00000011"
6292 0x1894 ASCII cpio archive (SVR4 with no CRC), file name: "usr/sbin/adduser", file name length: "0x00000011", file size: "0x00000011"
6440 0x1928 ASCII cpio archive (SVR4 with no CRC), file name: "usr/sbin/ubiattach", file name length: "0x00000013", file size: "0x00000011"
6592 0x19C0 ASCII cpio archive (SVR4 with no CRC), file name: "usr/sbin/chat", file name length: "0x0000000E", file size: "0x00000011"
6736 0x1A50 ASCII cpio archive (SVR4 with no CRC), file name: "usr/sbin/rdev", file name length: "0x0000000E", file size: "0x00000011"
6880 0x1AE0 ASCII cpio archive (SVR4 with no CRC), file name: "usr/sbin/i2cdump", file name length: "0x00000011", file size: "0x00000011"
7028 0x1B74 ASCII cpio archive (SVR4 with no CRC), file name: "usr/sbin/udhcpd", file name length: "0x00000010", file size: "0x00000011"
7176 0x1C08 ASCII cpio archive (SVR4 with no CRC), file name: "usr/sbin/ubirsvol", file name length: "0x00000012", file size: "0x00000011"
7324 0x1C9C ASCII cpio archive (SVR4 with no CRC), file name: "usr/sbin/crond", file name length: "0x0000000F", file size: "0x00000011"
7472 0x1D30 ASCII cpio archive (SVR4 with no CRC), file name: "usr/sbin/i2cget", file name length: "0x00000010", file size: "0x00000011"
7620 0x1DC4 ASCII cpio archive (SVR4 with no CRC), file name: "usr/sbin/remove-shell", file name length: "0x00000016", file size: "0x00000011"
7772 0x1E5C ASCII cpio archive (SVR4 with no CRC), file name: "usr/sbin/add-shell", file name length: "0x00000013", file size: "0x00000011"
7924 0x1EF4 ASCII cpio archive (SVR4 with no CRC), file name: "usr/sbin/addgroup", file name length: "0x00000012", file size: "0x00000011"
8072 0x1F88 ASCII cpio archive (SVR4 with no CRC), file name: "usr/sbin/nanddump", file name length: "0x00000012", file size: "0x00000011"
8220 0x201C ASCII cpio archive (SVR4 with no CRC), file name: "usr/sbin/i2cset", file name length: "0x00000010", file size: "0x00000011"
8368 0x20B0 ASCII cpio archive (SVR4 with no CRC), file name: "usr/sbin/inetd", file name length: "0x0000000F", file size: "0x00000011"
8516 0x2144 ASCII cpio archive (SVR4 with no CRC), file name: "usr/sbin/popmaildir", file name length: "0x00000014", file size: "0x00000011"
8668 0x21DC ASCII cpio archive (SVR4 with no CRC), file name: "usr/sbin/nbd-client", file name length: "0x00000014", file size: "0x00000011"
8820 0x2274 ASCII cpio archive (SVR4 with no CRC), file name: "usr/sbin/sendmail", file name length: "0x00000012", file size: "0x00000011"
8968 0x2308 ASCII cpio archive (SVR4 with no CRC), file name: "usr/sbin/ubiupdatevol", file name length: "0x00000016", file size: "0x00000011"
9120 0x23A0 ASCII cpio archive (SVR4 with no CRC), file name: "usr/sbin/i2cdetect", file name length: "0x00000013", file size: "0x00000011"
9272 0x2438 ASCII cpio archive (SVR4 with no CRC), file name: "usr/bin", file name length: "0x00000008", file size: "0x00000000"
9392 0x24B0 ASCII cpio archive (SVR4 with no CRC), file name: "usr/bin/realpath", file name length: "0x00000011", file size: "0x00000011"
9540 0x2544 ASCII cpio archive (SVR4 with no CRC), file name: "usr/bin/microcom", file name length: "0x00000011", file size: "0x00000011"
9688 0x25D8 ASCII cpio archive (SVR4 with no CRC), file name: "usr/bin/shred", file name length: "0x0000000E", file size: "0x00000011"
9832 0x2668 ASCII cpio archive (SVR4 with no CRC), file name: "usr/bin/uniq", file name length: "0x0000000D", file size: "0x00000011"
9976 0x26F8 ASCII cpio archive (SVR4 with no CRC), file name: "usr/bin/hd", file name length: "0x0000000B", file size: "0x00000011"
10120 0x2788 ASCII cpio archive (SVR4 with no CRC), file name: "usr/bin/traceroute6", file name length: "0x00000014", file size: "0x00000011"
10272 0x2820 ASCII cpio archive (SVR4 with no CRC), file name: "usr/bin/showkey", file name length: "0x00000010", file size: "0x00000011"
10420 0x28B4 ASCII cpio archive (SVR4 with no CRC), file name: "usr/bin/unzip", file name length: "0x0000000E", file size: "0x00000011"
10564 0x2944 ASCII cpio archive (SVR4 with no CRC), file name: "usr/bin/last", file name length: "0x0000000D", file size: "0x00000011"
10708 0x29D4 ASCII cpio archive (SVR4 with no CRC), file name: "usr/bin/reset", file name length: "0x0000000E", file size: "0x00000011"
10852 0x2A64 ASCII cpio archive (SVR4 with no CRC), file name: "usr/bin/nproc", file name length: "0x0000000E", file size: "0x00000011"
10996 0x2AF4 ASCII cpio archive (SVR4 with no CRC), file name: "usr/bin/https://gchq.github.io/CyberChef/#recipe=Unescape_string(XOR(%7B'option':'Hex','string':'b4e4e9ab09364ac2a514e53566c399145a34f118917d2370fab53dfa3de500d16915f0a68348c6302e4529020aa90f38890dac1c897cf4d3f06b2f21b7d8c0fb'%7D,'Standard',false)&input=XHhmY1x4YjBceGFiXHhkMFx4NzlceDQzXHgyNlx4YWVceGNjXHg3YVx4ODJceDZhXHgwMlx4ZjdceGVkXHgyMFx4MDVceDUyXHg4M1x4MjhceGZjXHgyMlx4NDhceDQzXHg4OFx4ZGJceDBlXHg5Nlx4MDhceDk1XHgzNFx4YjI)
Reversing the Kernel Module
Among the extracted files is the kernel object checker.ko. Loading it into the
Hex-Rays decompiler reveals two global byte buffers. The first, byte_3C0, is a
64-byte buffer that acts as the XOR key; the second, byte_400, is the 34-byte
encrypted payload. Both are flagged “weak” by the decompiler, indicating they
are statically initialized data.
char byte_3C0[64] =
{
'\xB4',
'\xE4',
'\xE9',
'\xAB',
'\t',
'6',
'J',
'\xC2',
'\xA5',
'\x14',
'\xE5',
'5',
'f',
'\xC3',
'\x99',
'\x14',
'Z',
'4',
'\xF1',
'\x18',
'\x91',
'}',
'#',
'p',
'\xFA',
'\xB5',
'=',
'\xFA',
'=',
'\xE5',
'\0',
'\xD1',
'i',
'\x15',
'\xF0',
'\xA6',
'\x83',
'H',
'\xC6',
'0',
'.',
'E',
')',
'\x02',
'\n',
'\xA9',
'\x0F',
'8',
'\x89',
'\r',
'\xAC',
'\x1C',
'\x89',
'|',
'\xF4',
'\xD3',
'\xF0',
'k',
'/',
'!',
'\xB7',
'\xD8',
'\xC0',
'\xFB'
}; // weak
char byte_400[34] =
{
'\xFC',
'\xB0',
'\xAB',
'\xD0',
'y',
'C',
'&',
'\xAE',
'\xCC',
'z',
'\x82',
'j',
'\x02',
'\xF7',
'\xED',
' ',
'\x05',
'R',
'\x83',
'(',
'\xFC',
'\"',
'H',
'C',
'\x88',
'\xDB',
'\x0E',
'\x96',
'\b',
'\x95',
'4',
'\xB2',
'Z',
'h'
}; // weak
Recovering the Flag
The module’s check logic XORs the encrypted buffer against the key. Reproducing
that with a small XOR helper, feeding it the encrypted byte_400 bytes and the
byte_3C0 key, immediately yields the start of the flag. With only the first 32
encrypted bytes, the plaintext is recovered up to k3rn3l5p4c before the buffer
runs short.
xor(b'\xfc\xb0\xab\xd0\x79\x43\x26\xae\xcc\x7a\x82\x6a\x02\xf7\xed\x20\x05\x52\x83\x28\xfc\x22\x48\x43\x88\xdb\x0e\x96\x08\x95\x34\xb2',b'\xb4\xe4\xe9\xab\x09\x36\x4a\xc2\xa5\x14\xe5\x35\x66\xc3\x99\x14\x5a\x34\xf1\x18\x91\x7d\x23\x70\xfa\xb5\x3d\xfa\x3d\xe5\x00\xd1\x69\x15\xf0\xa6\x83\x48\xc6\x30\x2e\x45\x29\x02\x0a\xa9\x0f\x38\x89\x0d\xac\x1c\x89\x7c\xf4\xd3\xf0\x6b\x2f\x21\xb7\xd8\xc0\xfb')
b'HTB{pulling_d4t4_fr0m_k3rn3l5p4c\x95\xa5[v\xfa\x0b\xe0\x9e\xe2?\xabh\x08^\xe2\x18\x8c_/4u^\xbc\x90x\xb0!\xb7\xbfM\xf4I'
The decompiler initially showed only 32 bytes for byte_400, but the real
encrypted buffer is 34 bytes long. Appending the two trailing bytes (\x5a\x68,
i.e. Z and h) to the input completes the XOR and reveals the closing brace,
producing the full flag.
>>> xor(b'\xfc\xb0\xab\xd0\x79\x43\x26\xae\xcc\x7a\x82\x6a\x02\xf7\xed\x20\x05\x52\x83\x28\xfc\x22\x48\x43\x88\xdb\x0e\x96\x08\x95\x34\xb2\x5a\x68',b'\xb4\xe4\xe9\xab\x09\x36\x4a\xc2\xa5\x14\xe5\x35\x66\xc3\x99\x14\x5a\x34\xf1\x18\x91\x7d\x23\x70\xfa\xb5\x3d\xfa\x3d\xe5\x00\xd1\x69\x15\xf0\xa6\x83\x48\xc6\x30\x2e\x45\x29\x02\x0a\xa9\x0f\x38\x89\x0d\xac\x1c\x89\x7c\xf4\xd3\xf0\x6b\x2f\x21\xb7\xd8\xc0\xfb')
b'HTB{pulling_d4t4_fr0m_k3rn3l5p4c3}\x0c\x16(\x98\xbfs\x08\xeb\xe5x\x88\xc3\r\xcfd-\xa9N\nT\x08\xf1\xb8(\xa7\xfa\xb9N\xc8n'
The same operation can be performed visually with the CyberChef recipe that was hidden in the initramfs file name, confirming the recovered flag.
The flag is HTB{pulling_d4t4_fr0m_k3rn3l5p4c3}.