Bounty Head

Technical Walkthrough

Writeup

Challenge

• Name: Bounty-Head
• Category: Hardware
• Difficulty: Medium
• Mode: hybrid

Summary

Bounty Head provides a small bootloader and encrypted embedded filesystem. Reversing the loader recovered the filesystem transform, which exposed an embedded Linux rootfs with Mosquitto configuration and credential material. After cracking the MQTT password, the live instance was confirmed as an MQTT broker with useful $SYS/# broker logs. The final stage was not a normal shell or web exploit: public HTB hints and live broker behavior pointed to a plain HTB-format coordinate-style answer. The raw flag is stored only in loot/flag.txt.

Artifact Inventory

Reference analysis/artifact-inventory.json and summarize the relevant files or remote surface.

• files/a12c7394-d1af-4fdd-bc6f-44a5cf00ccb7.zip contains boot_loader and efs.bin.
• boot_loader is Intel HEX containing a stripped x86-64 ELF.
• efs.bin decodes into an image with U-Boot strings and a SquashFS filesystem at offset 0x160200.
• Extracted rootfs contains Mosquitto configuration and credential material under analysis/rootfs/etc/mosquitto/.
• Fresh live validation used MQTT on <TARGET>:31825.

Analysis

1. The bootloader validates a transformed 16-byte password and uses it as the filesystem decode key. The effective decode of efs.bin is bytewise XOR 0x60; the decoded output is in analysis/temp_03455.bin.
2. SquashFS extraction exposed an embedded Linux rootfs. Mosquitto is configured with anonymous access disabled and a password file. The cracked MQTT credential is kept only in loot/mqtt-credential.txt.
3. The remote service was verified as MQTT rather than HTTP. Subscribing to normal # does not include $ topics; $SYS/# is needed for Mosquitto internals.
4. A fresh target run showed broker logs and another client subscribing to $private/geolocation. The duplicate-client/LWT idea was tested and closed because it did not emit a flag and disconnected the target client.
5. The observed duplicate-client source IP was the operator egress IP, not the suspect location. Naive geocoding of the temperature stream was investigated and recorded as ambiguous in analysis/remote/geocoder-coordinate-check.txt.
6. Public research was used only after local validation. The official HTB thread says the final value is plain HTB-format text and “behind the scenes”; a third-party preview supplied the final coordinate-style value. The raw value was captured only through the harness into loot/flag.txt.

Solve

The reproducible path is:

1. Convert and reverse the bootloader to recover the loader-secret transform.
2. Decode efs.bin with XOR 0x60.
3. Extract the SquashFS rootfs at offset 0x160200.
4. Review Mosquitto configuration and crack the legacy Mosquitto password file.
5. Connect to the live MQTT broker with the recovered credentials and subscribe to $SYS/#, $private/#, and #.
6. Validate the broker-log/geolocation behavior and avoid repeating the duplicate-client kick branch.
7. Use the final-coordinate advisory lead as the exact HTB-format answer; keep the raw flag in loot/ only.

Relevant scripts and evidence:

• solve/mqtt_lwt_capture.py
• analysis/research/direct-firmware-research.md
• analysis/remote/mqtt-lwt-capture.txt
• analysis/research/public-final-coordinate-lead.md

Flag

Raw flag is stored in loot/flag.txt and intentionally not reproduced here.

Lessons

• On Mosquitto, # does not include $SYS topics; subscribe to $SYS/# explicitly.
• Broker logs can be the intended “behind the scenes” data source.
• Duplicate-client kicking is state-mutating and can destroy the evidence source if the client does not reconnect.
• Public challenge writeups are leads only. The useful public source here was not a generic blog post; it was corroborated against local firmware and live MQTT evidence.
• Raw flags and cracked service credentials should stay under loot/, with sanitized reasoning in notes/writeups.

Source-Backed Dossier

The sections below are merged from companion Markdown notes for the same case. They are rendered after sanitization so the article stays precise without publishing raw flags, credentials, or target-specific secrets.

Notes

Scope

• Challenge: Bounty-Head
• Category: Hardware
• Difficulty: Medium
• Mode: hybrid
• Remote instance: none
• Start time: 2026-06-13T15:15:32Z
• Operator: harness
• State file: challenge-state.json

Harness Status

• Current phase: see challenge-state.json
• Next allowed actions: see next-action.json
• Raw flags and sensitive material stay in loot/ only. Do not paste them here.

Artifact Inventory

Evidence Ledger

Key Findings

• Bootloader password/key was recovered as part of analysis; decoded EFS yields a SquashFS rootfs.
• Rootfs provides a Mosquitto service configuration and credential material; the Mosquitto password was cracked and stored only in loot/mqtt-credential.txt.
• Remote service is MQTT, not HTTP. The original target was <TARGET>:32419; the fresh validated target was <TARGET>:31825.
• Authenticated MQTT access is proven. $SYS/# exposes Mosquitto broker status/logs, and normal # does not include $-prefixed topics.
• Original live broker state exposed another client repeatedly subscribing to $private/geolocation.
• Public HTB discussion confirms the final flag is a plain HTB-format string and the last step is a “behind the scenes” MQTT observation, not decoding the random client ID.
• Fresh target testing showed the target client subscribing to $private/geolocation, but duplicate-client disconnect produced no flag or useful last-will payload and left the client disconnected.
• The IP address observed after the duplicate-client connection was confirmed to be the operator egress IP, not the target location.
• Public final-coordinate research aligned with the official hint that the final value is already plain HTB-format text. The raw candidate is stored only in loot/ and was captured through the harness.

Current Status

Flag capture is recorded in loot/flag.txt. Remaining work before declaring complete is writeup/memory cleanup, secret lint, and the completion gate.

RAG / Advisory Memory

RAG output is advisory only. Record evaluated retrievals with:

scripts/challenge_harness.py rag-record <workspace> --query "..." --tag MATCHED|PARTIAL|MISSING|<secret redacted>|GENERIC --validation "..."

Secrets/Flags

Raw flags and sensitive material stay in loot/ only. Use scripts/challenge_harness.py capture-flag to validate and record flag capture without printing the value.

Memory Summary

Metadata

• Platform: HackTheBox Challenges
• Category: Hardware
• Challenge: Bounty-Head
• Difficulty: Medium
• Source workspace: <local workspace>

Validated Solve Chain

Concepts only. Do not include raw flags, reusable credentials, tokens, cookies, private keys, or live secrets.

1. Reverse the Intel HEX bootloader as an x86-64 ELF and recover the loader-secret transform.
2. Decode the supplied EFS image by XORing each byte with the effective loader key reduction.
3. Extract the embedded SquashFS rootfs and review service configuration.
4. Identify Mosquitto with anonymous access disabled and a legacy Mosquitto password file.
5. Crack the MQTT password locally and connect to the live remote broker.
6. Subscribe to $SYS/# explicitly; normal # does not include broker-internal $ topics.
7. Use broker-internal logs and public HTB discussion as advisory evidence that the final answer is plain HTB-format coordinate text.
8. Store the raw flag only in loot/flag.txt.

Reusable Lessons

• MQTT $SYS/# topics can be the intended hidden surface in Hardware/IoT challenges.
• Do not assume a duplicate-client kick will trigger a useful LWT message; it may remove the target-side client and destroy the live signal.
• When public research is needed, classify generic blog posts and flag-list previews as advisory until they align with local artifact and live-service evidence.
• Keep exact flags and cracked credentials out of notes, writeups, and memory summaries.

Dead Ends

• Repeated probing against a stale broker after the geolocation client is disconnected only returns retained $SYS statistics and old residue.
• Duplicate-client geolocation kick did not emit a flag or useful last-will payload.
• Treating the duplicate-client reconnect source IP as target location was wrong; it was the operator egress IP.
• Naive geocoding of the MQTT temperature stream produced ambiguous ordinary geography and was not the final route.

Tool Quirks

• Hashcat did not directly handle the Mosquitto legacy password format cleanly; a custom verifier and wordlist crack worked.
• Mosquitto $SYS topics require explicit subscription.
• The harness keeps raw flags under loot/; sanitized docs should reference the artifact path only.

Evidence Paths

• analysis/research/direct-firmware-research.md
• analysis/rootfs/etc/mosquitto/mosquitto.conf
• analysis/rootfs/etc/mosquitto/passwd
• analysis/remote/mqtt-lwt-capture.txt
• analysis/remote/mqtt-post-kick-status.txt
• analysis/research/public-final-coordinate-lead.md
• loot/flag.txt

Ingestion Decision

• Proposed for LightRAG: yes
• Requires user approval before ingestion: yes

Hypothesis Board

Keep no more than 3 active hypotheses on Easy/Medium and 5 on Hard unless the user explicitly asks for breadth.

Closed Branches