Outrun

Technical Walkthrough

Writeup

Challenge

• Name: Outrun
• Category: Hardware
• Difficulty: Medium
• Mode: hybrid

Summary

Outrun is not solved in this workspace yet. The local and live work did identify the two visible control frames:

• 402#0000000000340000 drives the dashboard speedometer to 0.
• 122#6c6f636b3a310000 drives door_status to 0, interpreted as locked.

Those effects are validated against the live /data endpoint and Socket.IO stream, but the current target instance did not emit a flag after multiple controlled single-session attempts. The workspace is therefore parked at <secret redacted>, not COMPLETE.

Artifact Inventory

• files/a12c7372-0092-410f-8d3c-70d861a7ec5c.zip: original challenge archive.
• analysis/extracted/PCS_checklog.logicdata: Saleae-style logic capture used to recover CAN frames.
• analysis/extracted/bridge.py: Socket.IO helper supplied by the challenge.
• Remote service <TARGET>:31022: Flask/Werkzeug dashboard with /data and Engine.IO v3 Socket.IO endpoint.

Analysis

The official HTB discussion confirms the intended workflow: use python-socketio, decode the .logicdata capture, and send the necessary packets over one Socket.IO connection. It also documents that the challenge was reworked after an earlier RPM-related guessing step.

Local decoder output in analysis/can-decoded-ch0-crc.txt recovered the stop-speed frame:

• 024053316 402#0000000000340000

Live state validation in analysis/remote/lock-speed-oracle.txt confirmed:

• sending 402#0000000000340000 sets speedometer to 0;
• sending 122#6c6f636b3a310000 sets door_status to 0;
• shorter or longer lock:1 encodings did not produce the same visible lock effect.

The old forum near-solve clue suggested rpm=800, so 612#1900800022000000 was tested because its first byte is 0x19 and 0x19 * 32 = 800. Evidence in analysis/remote/hold-rpm800-speed0-lock1-20260614.jsonl shows that this did not control visible RPM on the live instance.

Failed branches are recorded in hypothesis-board.md. The important closed branches are:

• exact/public two-packet loops: no flag;
• moderate raw Engine.IO batching: no flag;
• aggressive raw batching / lock variants: connection reset by peer;
• final decoded tail sequence plus lock: no flag;
• 612#1900800022000000 as visible RPM control: no visible RPM effect.

Solve

No complete reproducible solve is validated yet.

Best next validation after a fresh target restart:

cd <local workspace>
sleep 65
.venv/bin/python solve/solve.py \
  --url http://<TARGET>:31022 \
  --duration 90 \
  --delay 0.001 \
  --threads 1 \
  --transports polling \
  --flag-output loot/flag-candidate.txt

If that does not write loot/flag-candidate.txt, do not continue timing guesses. Get server source or a narrow hint for the remaining predicate/event channel.

Flag

No live flag has been captured. If captured later, store it under loot/ and complete through the harness.

Lessons

• Treat public writeups and leaked flag lists as leads only. This workspace did not mark complete from public flag material.
• The service is sensitive to Socket.IO client version and traffic rate. Aggressive raw Engine.IO batching can reset the connection.
• The dashboard state can show speed-zero and locked without a flag, so the remaining blocker is either target freshness, a hidden predicate, or a missed event/channel condition.

Source-Backed Dossier

The sections below are merged from companion Markdown notes for the same case. They are rendered after sanitization so the article stays precise without publishing raw flags, credentials, or target-specific secrets.

Notes

Scope

• Challenge: Outrun
• Category: Hardware
• Difficulty: Medium
• Mode: hybrid
• Remote instance: none
• Start time: 2026-06-14T00:07:40Z
• Operator: harness
• State file: challenge-state.json

Harness Status

• Current phase: see challenge-state.json
• Next allowed actions: see next-action.json
• Raw flags and sensitive material stay in loot/ only. Do not paste them here.

Artifact Inventory

Evidence Ledger

Key Findings

• Remote service is a Flask/Werkzeug dashboard with Engine.IO v3 Socket.IO polling and /data.
• Official HTB discussion confirms the challenge expects decoded CAN packets over one Socket.IO connection; research is advisory only.
• 402#0000000000340000 is live-validated as the speed-zero frame.
• 122#6c6f636b3a310000 is live-validated as the door-lock frame.
• The current instance did not emit a flag after exact two-packet loops, final-tail replay, moderate raw batching, 612#1900800022000000 RPM testing, or lock encoding variants.
• Latest evaluator is Validate first; do not continue blind remote timing attempts without a fresh target restart, source, or a narrow hint for the remaining predicate/channel.

RAG / Advisory Memory

RAG output is advisory only. Record evaluated retrievals with:

scripts/challenge_harness.py rag-record <workspace> --query "..." --tag MATCHED|PARTIAL|MISSING|<secret redacted>|GENERIC --validation "..."

Secrets/Flags

Raw flags and sensitive material stay in loot/ only. Use scripts/challenge_harness.py capture-flag to validate and record flag capture without printing the value.

Memory Summary

Metadata

• Platform: HackTheBox Challenges
• Category: Hardware
• Challenge: Outrun
• Difficulty: Medium
• Source workspace: <local workspace>

Validated Solve Chain

Concepts only. Do not include raw flags, reusable credentials, tokens, cookies, private keys, or live secrets.

1. Decode the provided Saleae-style logic capture to recover CAN-like frames.
2. The speed-zero frame is 402#0000000000340000; live /data validation shows it drives the speedometer to 0.
3. The live Socket.IO stream exposes unlock frames as ASCII lock:0; sending 122#6c6f636b3a310000 drives door_status to 0.
4. The current workspace did not capture the flag despite validating both visible state controls.

Reusable Lessons

• For Socket.IO based HTB hardware challenges, use the challenge-supplied helper pattern and install python-socketio, not the unrelated socketio package.
• Treat Engine.IO version mismatches as a first-class blocker. This instance speaks Engine.IO v3 polling.
• A visible dashboard state is not always proof that the flag predicate fired; preserve both /data evidence and raw Socket.IO event evidence.
• After two no-new-fact remote attempts, stop and update the harness instead of continuing blind timing retries.

Dead Ends

• Exact public-style speed-zero plus lock loops did not emit a flag on the current instance.
• 612#1900800022000000 was tested as a possible rpm=800 packet; it did not control visible RPM.
• Moderate raw Engine.IO batching did not emit a flag.
• Aggressive raw Engine.IO batching and broad lock variant batches reset the server connection.
• Final decoded tail replay plus the lock packet did not emit a flag.

Tool Quirks

• .venv with python-socketio==4.6.1 and python-engineio==3.14.2 connects cleanly to the live service.
• The available python-socketio==5.0.0 environment connected and then dropped the namespace before emit in this local setup.
• The service uses polling only; /socket.io/ reports upgrades: [].

Evidence Paths

• analysis/can-decoded-ch0-crc.txt
• analysis/remote/lock-speed-oracle.txt
• analysis/remote/hold-rpm800-speed0-lock1-20260614.jsonl
• analysis/remote/raw-batch-moderate-speed-lock-20260614.txt
• analysis/remote/final-tail-ordered-lock-20260614.txt
• analysis/checkpoint-analysis-20260614T030239029783Z-250dd637.md
• analysis/evaluator-20260614T030239079040Z-beab268a.md

Ingestion Decision

• Proposed for LightRAG: yes, after solving or after user approval for partial blocked-state memory
• Requires user approval before ingestion: yes

Hypothesis Board

Keep no more than 3 active hypotheses on Easy/Medium and 5 on Hard unless the user explicitly asks for breadth.

Closed Branches