Defusal

Technical Walkthrough

Writeup

Challenge

• Name: Defusal
• Category: Hardware
• Difficulty: Medium
• Mode: file

Summary

The firmware was an AVR/Arduino binary with debug metadata still present. The circuit image showed a keypad, LCD, and LED matrix, and the binary strings exposed access-code material plus print_flag and XOR-related variable names. DWARF confirmed a local byte[37][8] flag matrix inside print_flag; decoding those 37 LED glyphs with the full code-derived XOR key recovered the challenge flag.

Artifact Inventory

Reference analysis/artifact-inventory.json and summarize the relevant files or remote surface.

• Defusal: AVR ELF, statically linked, debug info present, not stripped.
• circuit.png: schematic/blueprint showing the Arduino, keypad, LCD, and LED matrix.
• C4-BOMB.mp4: short device-output video; useful for context, but the decisive evidence came from firmware metadata.

Analysis

1. strings exposed the keypad map, access-code strings, display text, and symbol names including print_flag, keyByte, xorValue, and setColumn.
2. dwarfdump confirmed print_flag contains a local flag variable of type byte[37][8].
3. The .data section contains the glyph initializer bytes at address 0x80021e.
4. The print_flag debug metadata names the display loop variables as dot, keyByte, and xorValue, which matches an XOR-per-column decode before writing each byte to the LED matrix.
5. XORing each glyph byte with the full defusal access-code bytes yields readable 8-byte glyphs in row-wise MSB orientation. The ambiguous single-stem glyph is the digit 1, not a capital I.

Solve

Run:

python3 Hardware/Defusal/solve/solve.py --workspace Hardware/Defusal
python3 scripts/challenge_harness.py capture-flag Hardware/Defusal --from loot/flag.txt

The solver parses the AVR ELF .data section with objdump, extracts the 37 8-byte glyph matrix, applies the XOR key, maps the decoded LED glyphs to characters, and writes the recovered flag to loot/flag.txt.

Flag

Raw flag is stored in loot/flag.txt and intentionally not reproduced here.

Lessons

• Hardware challenges can still be solved mostly as firmware reversing when debug metadata is present.
• Circuit/video artifacts should be used to interpret output devices, but local firmware evidence should drive the final solve.
• Preserve raw flags in loot/ only; keep writeups and memory summaries sanitized.

Source-Backed Dossier

The sections below are merged from companion Markdown notes for the same case. They are rendered after sanitization so the article stays precise without publishing raw flags, credentials, or target-specific secrets.

Notes

Scope

• Challenge: Defusal
• Category: Hardware
• Difficulty: Medium
• Mode: file
• Remote instance: none
• Start time: 2026-06-11T13:00:23Z
• Operator: harness
• State file: challenge-state.json

Harness Status

• Current phase: see challenge-state.json
• Next allowed actions: see next-action.json
• Raw flags and sensitive material stay in loot/ only. Do not paste them here.

Artifact Inventory

Evidence Ledger

Key Findings

-

RAG / Advisory Memory

RAG output is advisory only. Record evaluated retrievals with:

scripts/challenge_harness.py rag-record <workspace> --query "..." --tag MATCHED|PARTIAL|MISSING|<secret redacted>|GENERIC --validation "..."

Secrets/Flags

Raw flags and sensitive material stay in loot/ only. Use scripts/challenge_harness.py capture-flag to validate and record flag capture without printing the value.

Memory Summary

Metadata

• Platform: HackTheBox Challenges
• Category: Hardware
• Challenge: Defusal
• Difficulty: Medium
• Source workspace: <local workspace>

Validated Solve Chain

Concepts only. Do not include raw flags, reusable credentials, tokens, cookies, private keys, or live secrets.

1. Extract the AVR ELF and confirm debug metadata/symbols are present.
2. Use strings and DWARF to identify the print_flag routine and the local byte[37][8] LED glyph matrix.
3. Correlate dot, keyByte, xorValue, and setColumn debug metadata with a per-column XOR decode.
4. Use the full defusal access-code string as the XOR key and render/map the decoded glyphs into the HTB flag format.

Reusable Lessons

• For AVR/Arduino hardware challenges, inspect DWARF before deep disassembly if the binary is not stripped.
• LED matrix output is often stored as 8-byte glyphs and may need orientation testing against the display library call (setColumn vs setRow).
• Password strings in firmware may be reused as obfuscation keys for hidden output.
• In simple LED fonts, distinguish capital I from digit 1; the cleaned full-key decode can resolve this.

Dead Ends

• The video and circuit image were useful context but did not directly contain the flag.
• Treating the raw glyph matrix as plaintext produced noisy output until the XOR step was applied.

Tool Quirks

• Apple objdump can dump AVR ELF sections and symbols but may not disassemble AVR instructions.
• dwarfdump was sufficient to recover source-level variable names and types.

Evidence Paths

• analysis/firmware-audit.md
• analysis/dwarfdump-full.txt
• analysis/defusal-data-section.txt
• analysis/solve-run-redacted.json
• analysis/flag-correction-20260611.md
• solve/solve.py

Ingestion Decision

• Proposed for LightRAG: yes
• Requires user approval before ingestion: yes

Hypothesis Board

Keep no more than 3 active hypotheses on Easy/Medium and 5 on Hard unless the user explicitly asks for breadth.

Closed Branches