Prison Escape
The challenge provides an Omega RF protocol document, a prison blueprint, and a live RF transmitter web UI. The solve path was to decode the downloaded .complex IQ captures, reconstruct the packet format, generate valid CRC-protected command packets, and...
Scenario
Prison Escape attack path
The challenge provides an Omega RF protocol document, a prison blueprint, and a live RF transmitter web UI. The solve path was to decode the downloaded .complex IQ captures, reconstruct the packet format, generate valid CRC-protected command packets, and...
Objective
Challenge walkthrough focused on Hardware evidence, validation, and reusable operator lessons.
Walkthrough flow
Artifact inspection
Signal or firmware analysis
Decoded state
Proof captured
Source coverage
High source coverage
Status: complete. This article is generated from 4 sanitized Markdown sources and keeps raw flags, credentials, keys, cookies, and reusable secrets out of the rendered blog.
High confidence: the page is reconstructed from a primary walkthrough plus multiple supporting notes or evidence sources. Treat the chain as source-backed, while still checking the listed source files for sensitive values.
- Hardware/Prison-Escape/writeup.md
- htb-challenge/Hardware/Prison-Escape/notes.md
- htb-challenge/Hardware/Prison-Escape/memory-summary.md
- htb-challenge/Hardware/Prison-Escape/hypothesis-board.md
Technical Walkthrough
Prison Escape Writeup
Summary
The challenge provides an Omega RF protocol document, a prison blueprint, and a live RF transmitter web UI. The solve path was to decode the downloaded .complex IQ captures, reconstruct the packet format, generate valid CRC-protected command packets, and transmit the correct alarm/laser sequence.
Raw flag material is stored only in loot/flag.txt.
Artifact Inventory
files/a12c73aa-a2bd-4a12-95ba-246a5f41af9c.zip: original challenge archive.analysis/extracted/Omega.pdf: Omega protocol document.analysis/extracted/blueprint.png: prison layout and device placement.analysis/remote/capture.bin: RF capture downloaded from/capture.solve/prison_escape.py: reproducible decoder and transmitter.
Analysis
- The web service exposes
/transmit,/updates, and/capture. /capturereturns complex64 IQ samples.- The signal contains a 10,400-sample burst: 104 bits at 100 samples per bit.
- The burst uses two-frequency FSK.
- CRC is CRC-16/CCITT-style with init
0x1d0f, calculated over the packet header and payload.
Packet Format
Alarm packet:
AAAAAAAA 69781621 [source] [destination] [type] [crc16]Laser packet:
BBBBBBBB 69781622 [source] [destination] [type] [crc16]Examples decoded from captures:
A4 FF 03 # alarm A4 broadcasts
E3 FF 53 # laser E3 broadcasts move-right stateThe official forum hint about source/destination fields and FF as broadcast matched the decoded captures. It was used only as an advisory lead and validated locally.
Solve
Use source 00, destination device IDs, and the documented packet type bytes.
00 A1 F1
00 A2 F1
00 A3 F1
00 A4 F1
00 E1 91
00 E2 91
00 E3 53The solver auto-selects the alarm or laser header and appends the CRC.
Reproduce
cd <local workspace>
python3 Hardware/Prison-Escape/solve/prison_escape.py sequence --mod FSK --bits 1 --header auto --payloads 00A1F1 00A2F1 00A3F1 00A4F1 00E191 00E291 00E353
python3 scripts/challenge_harness.py capture-flag Hardware/Prison-Escape --from loot/flag-candidate.txtFlag
Raw flag is stored in loot/flag.txt and intentionally not reproduced here.
Lessons
- Decode multiple captures; each one can represent a separate device packet.
- Treat public or forum hints as advisory only and validate them against live captures.
- Packet families can use different headers even when they share the same CRC routine.
Challenge
- Name: Prison-Escape
- Category: Hardware
- Difficulty: Medium
- Mode: hybrid
Summary
Artifact Inventory
Reference analysis/artifact-inventory.json and summarize the relevant files or remote surface.
Analysis
Solve
Flag
Raw flag is stored in loot/flag.txt and intentionally not reproduced here.
Lessons
Source-Backed Dossier
The sections below are merged from companion Markdown notes for the same case. They are rendered after sanitization so the article stays precise without publishing raw flags, credentials, or target-specific secrets.
Notes
Scope
- Challenge: Prison-Escape
- Category: Hardware
- Difficulty: Medium
- Mode: hybrid
- Remote instance: none
- Start time: 2026-06-13T13:58:26Z
- Operator: harness
- State file:
challenge-state.json
Harness Status
- Current phase: see
challenge-state.json - Next allowed actions: see
next-action.json - Raw flags and sensitive material stay in
loot/only. Do not paste them here.
Artifact Inventory
| File | Size | SHA256 | Type | Notes |
|---|---|---|---|---|
files/a12c73aa-a2bd-4a12-95ba-246a5f41af9c.zip | 202358 | <hash redacted> | Zip archive data, at least v2.0 to extract, compression method=deflate | zip entries: 2 shown in artifact inventory JSON |
Evidence Ledger
| Time | Action | Output/File | Finding | Confidence | Next |
|---|---|---|---|---|---|
| 2026-06-13T13:58:26Z | harness init | challenge-state.json | Workspace initialized with deterministic state file | High | Inventory artifacts |
| 2026-06-13T13:58:44Z | artifact inventory | analysis/artifact-inventory.json | 1 artifact(s) inventoried | High | Build or update hypotheses |
| 2026-06-13T13:59:05Z | hypothesis recorded | hypothesis-board.md | Use the Omega technology document and prison blueprint to infer the alarm/laser control protocol, then send the correct safe disable sequence to the remote service at <TARGET>:31332. | Medium | Extract PDF text/images, inspect blueprint, then connect to the remote service only to capture its prompt/menu before deciding the control sequence. |
| 2026-06-13T14:03:17Z | checkpoint recorded | analysis/checkpoint-analysis-20260613T140317664882Z-1c40a82f.md | Checkpoint for ANALYSIS | High | Use checkpoint to drive next decision |
| 2026-06-13T14:03:17Z | research task | analysis/research/task-20260613T140317667124Z-67cfa91c.md | Research task created for advisory investigation | Medium | Record research output |
| 2026-06-13T14:03:57Z | RAG query | analysis/rag/rag-query-20260613T140343581140Z-126c9264.txt | RAG helper exited 0; output saved | Medium | Record retrieval tag and validation |
| 2026-06-13T14:04:14Z | RAG record | analysis/rag-records.md | Retrieved memory tagged MISSING | Medium | Validate or reject with live evidence |
| 2026-06-13T14:04:14Z | research record | analysis/research/research-records.md | Research tagged MATCHED | Medium | Validate against current evidence |
| 2026-06-13T14:04:14Z | local memory record | analysis/local-memory-records.md | Prior local notes reviewed as fallback/advisory context | Medium | Validate against current evidence |
| 2026-06-13T14:04:28Z | instrumentation plan | analysis/instrumentation-plan.md | Find the Omega packet layout by generating minimal CRC-valid candidates and validating them through the RF transmitter response/status. | High | Stop on flag capture, accepted packet format, or two complete candidate families without a new response signal; record failures before expanding search. |
| 2026-06-13T14:04:28Z | evaluator | analysis/evaluator-20260613T140428329906Z-af0a2265.md | Proceed | High | Run the solver in dry/logged mode, then minimal POST probes through challenge_exec or equivalent logged execution. |
| 2026-06-13T14:23:26Z | flag capture | loot/flag.txt | HTB-format flag captured; raw value kept in loot only | High | Write solution and run completion gate |
| 2026-06-13T14:24:29Z | research record | analysis/research/research-records.md | Research tagged MATCHED | Medium | Validate against current evidence |
| 2026-06-13T14:25:49Z | completion gate | challenge-state.json | Completion gate passed; state marked COMPLETE | High | Optional sanitized memory summary approval |
Key Findings
- Remote service is an HTTP RF transmitter at
<TARGET>:31332. /updatesrequires a valid session from/;/captureprovides a.complexIQ capture.- The capture is complex64 IQ with 100 samples per bit and two-frequency FSK symbols.
- Decoded alarm packet example:
<secret redacted>.
- Alarm header: <secret redacted>.
- Payload: A4 FF 03 = source A4, destination FF, broadcast packet type.
- CRC-16/CCITT with init 0x1d0f validates over header + payload.
- Decoded laser packet example:
<secret redacted>.
- Laser header: <secret redacted>.
- Payload: E3 FF 53 = source E3, destination FF, move-right packet type.
- Targeted commands must use source
00, destination device ID, and packet type. - Final successful sequence:
- alarm suppress: 00A1F1, 00A2F1, 00A3F1, 00A4F1
- laser movement: 00E191, 00E291, 00E353
- Repro command:
cd <local workspace>
python3 Hardware/Prison-Escape/solve/prison_escape.py sequence --mod FSK --bits 1 --header auto --payloads 00A1F1 00A2F1 00A3F1 00A4F1 00E191 00E291 00E353- Raw flag is stored only in
loot/flag.txt.
RAG / Advisory Memory
RAG output is advisory only. Record evaluated retrievals with:
scripts/challenge_harness.py rag-record <workspace> --query "..." --tag MATCHED|PARTIAL|MISSING|<secret redacted>|GENERIC --validation "..."Secrets/Flags
Raw flags and sensitive material stay in loot/ only. Use scripts/challenge_harness.py capture-flag to validate and record flag capture without printing the value.
Memory Summary
Metadata
- Platform: HackTheBox Challenges
- Category: Hardware
- Challenge: Prison-Escape
- Difficulty: Medium
- Source workspace:
<local workspace>
Validated Solve Chain
Concepts only. Do not include raw flags, reusable credentials, tokens, cookies, private keys, or live secrets.
1.
Reusable Lessons
-
Dead Ends
-
Tool Quirks
-
Evidence Paths
-
Ingestion Decision
- Proposed for LightRAG: yes/no
- Requires user approval before ingestion: yes
Hypothesis Board
Keep no more than 3 active hypotheses on Easy/Medium and 5 on Hard unless the user explicitly asks for breadth.
| Rank | Path | Evidence | Missing Proof | Cheapest Validation | Confidence | Status |
|---|---|---|---|---|---|---|
| 1 | Use the Omega technology document and prison blueprint to infer the alarm/laser control protocol, then send the correct safe disable sequence to the remote service at <TARGET>:31332. | Archive contains Omega.pdf and blueprint.png; challenge says documents from reconnaissance are enough to disable prison security controls. | Need extract/render PDF text/layout, inspect blueprint labels/paths, identify remote protocol/menu, and validate exact commands locally or with read-only remote probing. | Extract PDF text/images, inspect blueprint, then connect to the remote service only to capture its prompt/menu before deciding the control sequence. | Medium | Active |
Closed Branches
| Branch | Evidence Tested | Failure Output | Reason Closed | Revisit Condition |
|---|
Technical analogy
How to remember this solve
Think of the hardware challenge like following copper tracks on a circuit board. The useful clue is usually where signals enter, where they are transformed, and which debug or storage path exposes hidden state.
For Prison Escape, keep the mental model simple: identify the trusted assumption, prove it with the smallest safe test, then automate or repeat only the part that directly leads to the flag.