Steel Mountain
Steel Mountain is a sanitized challenge note from the local HTB archive, organized for quick review by category, difficulty, evidence flow, and reusable operator
Scenario
Steel Mountain attack path
Steel Mountain is a sanitized challenge note from the local HTB archive, organized for quick review by category, difficulty, evidence flow, and reusable operator
Objective
Challenge walkthrough focused on ICS evidence, validation, and reusable operator lessons.
Walkthrough flow
Extracted instructions and blueprint identified the...
Service mapping identified a dashboard on the first...
The helper exposed object listing plus read/write...
Successful control sequence: raise Level 2 overheat...
Source coverage
High source coverage
Status: complete. This article is generated from 6 sanitized Markdown sources and keeps raw flags, credentials, keys, cookies, and reusable secrets out of the rendered blog.
High confidence: the page is reconstructed from a primary walkthrough plus multiple supporting notes or evidence sources. Treat the chain as source-backed, while still checking the listed source files for sensitive values.
- ICS/Steel-Mountain/writeup.md
- htb-challenge/ICS/Steel-Mountain/notes.md
- htb-challenge/ICS/Steel-Mountain/memory-summary.md
- htb-challenge/ICS/Steel-Mountain/hypothesis-board.md
- HTB/_knowledge/exports/ctf-lightrag-latest-203412/documents/challenge__ICS__Steel-Mountain__memory-summary.md.0e955b0d57.md
- HTB/_knowledge/exports/ctf-lightrag-latest-203412/documents/challenge__ICS__Steel-Mountain__notes.md.52456aee81.md
Technical Walkthrough
Writeup
Challenge
- Name: Steel-Mountain
- Category: ICS
- Difficulty: Medium
- Mode: hybrid
Summary
Steel Mountain is a hybrid ICS challenge with a dashboard on <TARGET>:30108
and a planted BACnet helper on <TARGET>:32580. The extracted
instructions say to lock the tape storage room, deny elevators from stopping at
Level 2, and hold the Level 2 temperature at the tape burn point long enough for
the dashboard to reveal the secret.
The successful solve used the helper to control the Level 2 BACnet objects:
raise the Level 2 overheat alarm point, lock the Tape Storage Room door, keep
both elevators away from Level 2, and set the thermostat above the 32 C burn
threshold so the real temperature sensor stayed above 32 during the hold.
Artifact Inventory
The original archive is preserved in files/ and inventoried in
analysis/artifact-inventory.json. It extracted to:
analysis/extracted/ics_steel_mountain/Instructions.mdanalysis/extracted/ics_steel_mountain/Steel Mountain Blueprints.pdf
The blueprint required visual rendering because pdftotext did not expose the
floor labels cleanly. Rendered evidence in analysis/rendered/ showed the Tape
Storage Room on Level 2.
Remote service mapping in analysis/nmap-two-ports.txt identified:
30108/tcp: Werkzeug HTTP dashboard32580/tcp: interactive helper withobjects,bacnet.read, and
bacnet.write
Analysis
Instructions.md gave the mission rules: lock the tape storage room, deny
elevators at Level 2, and hold the level temperature at the burn point for two
minutes. The rendered blueprint confirmed this applies to Level 2.
The BACnet object dump in analysis/nc-objects.txt mapped the relevant objects:
<secret redacted>object102,multiStateOutput, value2means locked.ELE-1-CF/ELE-1-TFobjects80/82and
ELE-2-CF/ELE-2-TF objects 83/85 represent elevator current and target
floors.
Therm-L2-21object21controls the Level 2 thermostat.<secret redacted>object23controls the Level 2 overheat alarm point.<secret redacted>object24reports the alarm state.Messageobject500is rendered by the dashboard when the secret appears.
The first one-shot sequence in analysis/mission-transcript.txt reached the
door and temperature states but failed because elevator values drifted back to
Level 2. The sustained-elevator sequence in
analysis/mission-sustain-transcript.txt kept the elevators away but still
failed because the real temperature sensor dipped below 32 C while the
thermostat was set to 32. The sensor itself was not writable, so the final solve
used a thermostat setpoint of 33 with the alarm point raised to 40.
Solve
The reproducible solver is solve/solve.py.
Read-only validation:
python3 solve/solve.py probe --output analysis/solve-probe.txtFinal solve:
python3 solve/solve.py mission \
--burn-setpoint 33 \
--output analysis/mission-hot-transcript.txt \
--flag-output loot/flag-candidate.txt \
--hold-seconds 160 \
--poll-interval 3The solver redacts dashboard flags from analysis transcripts and writes the raw
candidate only to loot/flag-candidate.txt. The harness then validated and
stored the final value in loot/flag.txt.
Flag
Raw flag is stored in loot/flag.txt and intentionally not reproduced here.
Lessons
For this challenge, the intended path was not raw BACnet tooling; the provided
netcat helper was enough. The important trick was not just setting the visible
thermostat to 32. The real temperature sensor could drift below the burn point,
so the thermostat needed to be above the threshold while the overheat alarm point
was raised to avoid a reset. Elevator values also required sustained control
rather than a single write.
Source-Backed Dossier
The sections below are merged from companion Markdown notes for the same case. They are rendered after sanitization so the article stays precise without publishing raw flags, credentials, or target-specific secrets.
Notes
Scope
- Challenge: Steel-Mountain
- Category: ICS
- Difficulty: Medium
- Mode: hybrid
- Remote instance: <TARGET>:30108,<TARGET>:32580
- Start time: 2026-06-11T06:08:20Z
- Operator: harness
- State file:
challenge-state.json
Harness Status
- Current phase: see
challenge-state.json - Next allowed actions: see
next-action.json - Raw flags and sensitive material stay in
loot/only. Do not paste them here.
Artifact Inventory
| File | Size | SHA256 | Type | Notes |
|---|---|---|---|---|
files/a12c735e-5f7c-429e-812d-0933ec081f76.zip | 83527 | <hash redacted> | Zip archive data, at least v1.0 to extract, compression method=store | zip entries: 3 shown in artifact inventory JSON |
Evidence Ledger
| Time | Action | Output/File | Finding | Confidence | Next |
|---|---|---|---|---|---|
| 2026-06-11T06:08:20Z | harness init | challenge-state.json | Workspace initialized with deterministic state file | High | Inventory artifacts |
| 2026-06-11T06:08:20Z | artifact inventory | analysis/artifact-inventory.json | 1 artifact(s) inventoried | High | Build or update hypotheses |
| 2026-06-11T06:08:20Z | session bootstrap | notes.md | Challenge metadata, scenario, and prior context seeded into workspace | High | Record initial hypothesis and research |
| 2026-06-11T06:08:20Z | hypothesis recorded | hypothesis-board.md | initial triage from supplied challenge metadata | Medium | inventory files / inspect app surface / map routes depending on category |
| 2026-06-11T06:08:20Z | research task | analysis/research/task-20260611T060820936111Z-1880d6b4.md | Research task created for advisory investigation | Medium | Record research output |
| 2026-06-11T06:09:14Z | checkpoint recorded | analysis/checkpoint-analysis-20260611T060914414768Z-8bb49e8a.md | Checkpoint for ANALYSIS | High | Use checkpoint to drive next decision |
| 2026-06-11T06:10:31Z | hypothesis recorded | hypothesis-board.md | Interact with the planted BACnet tool/menu over netcat to sequence Level Two controls, then read the dashboard for the flag. | Medium | Nmap/service-identify both ports, then connect read-only with nc to identify which port is the dashboard and which is the tool before any mutation. |
| 2026-06-11T06:10:31Z | source audit | analysis/source-audit.md | Source audit recorded | High | Gate before exploit |
| 2026-06-11T06:10:52Z | RAG query | analysis/rag/rag-query-20260611T061033283496Z-3d12691d.txt | RAG helper exited 0; output saved | Medium | Record retrieval tag and validation |
| 2026-06-11T06:11:40Z | RAG record | analysis/rag-records.md | Retrieved memory tagged GENERIC | Medium | Validate or reject with live evidence |
| 2026-06-11T06:11:55Z | instrumentation plan | analysis/instrumentation-plan.md | Identify the dashboard and planted BACnet/netcat tool ports, map the command protocol, then perform the exact Level Two mission sequence without triggering alarm resets. | High | Stop if the service shows an alarm/reset, if prompts are ambiguous, or after two failed command sequences without a new state fact; record failure and refresh hypothesis instead of blind probing. |
| 2026-06-11T06:12:54Z | local memory record | analysis/local-memory-records.md | Prior local notes reviewed as fallback/advisory context | Medium | Validate against current evidence |
| 2026-06-11T06:13:08Z | evaluator | analysis/evaluator-20260611T061308235567Z-eda10063.md | Proceed | High | Use challenge_exec for nmap/curl/nc read-only probes and save transcripts before any state-changing sequence. |
| 2026-06-11T06:14:01Z | checkpoint recorded | analysis/checkpoint-analysis-20260611T061401525835Z-6ed79ce2.md | Checkpoint for ANALYSIS | High | Use checkpoint to drive next decision |
| 2026-06-11T06:19:01Z | checkpoint recorded | analysis/checkpoint-analysis-20260611T061901215883Z-99dcc057.md | Checkpoint for ANALYSIS | High | Use checkpoint to drive next decision |
| 2026-06-11T06:19:01Z | evaluator | analysis/evaluator-20260611T061901316859Z-393b14d6.md | Proceed | High | Run solve/solve.py mission through challenge_exec and save transcript/flag candidate. |
| 2026-06-11T06:22:33Z | branch closed | hypothesis-board.md | Door lock and Level 2 temperature reached the intended state without alarm, but the dashboard Message stayed empty; final transcript shows both elevators drifted/stopped at Level 2, so one-shot ELE target writes do not satisfy the elevator denial condition. | High | Rerank hypotheses |
| 2026-06-11T06:26:42Z | branch closed | hypothesis-board.md | Door lock, elevator current/target floors, alarm threshold, and thermostat setpoint were sustained without alarm, but dashboard Message stayed empty. Transcript shows actual Temp-L2-20 dipped below 32 during the hold, so thermostat-only control likely does not satisfy the two-minute burn condition. | High | Rerank hypotheses |
| 2026-06-11T06:26:42Z | checkpoint recorded | analysis/checkpoint-analysis-20260611T062642616755Z-f70428fe.md | Checkpoint for ANALYSIS | High | Use checkpoint to drive next decision |
| 2026-06-11T06:26:42Z | evaluator | analysis/evaluator-20260611T062642667155Z-378fac53.md | Proceed | High | Patch solver to sustain Temp-L2-20 and run one bounded mission attempt through challenge_exec. |
| 2026-06-11T06:30:48Z | branch closed | hypothesis-board.md | Temp-L2-20 analogInput is not writable, and with Therm-L2 set to 32 the actual sensor still dipped below 32 during the hold. Door/elevator/alarm controls remained valid but no dashboard Message appeared. | High | Rerank hypotheses |
| 2026-06-11T06:30:48Z | checkpoint recorded | analysis/checkpoint-analysis-20260611T063048840886Z-62025272.md | Checkpoint for ANALYSIS | High | Use checkpoint to drive next decision |
| 2026-06-11T06:30:48Z | evaluator | analysis/evaluator-20260611T063048891384Z-ac9286af.md | Proceed | High | Run high-setpoint mission attempt through challenge_exec. |
| 2026-06-11T06:32:55Z | flag capture | loot/flag.txt | HTB-format flag captured; raw value kept in loot only | High | Write solution and run completion gate |
| 2026-06-11T06:36:35Z | completion gate | challenge-state.json | Completion gate passed; state marked COMPLETE | High | Optional sanitized memory summary approval |
Key Findings
-
RAG / Advisory Memory
RAG output is advisory only. Record evaluated retrievals with:
scripts/challenge_harness.py rag-record <workspace> --query "..." --tag MATCHED|PARTIAL|MISSING|<secret redacted>|GENERIC --validation "..."Secrets/Flags
Raw flags and sensitive material stay in loot/ only. Use scripts/challenge_harness.py capture-flag to validate and record flag capture without printing the value.
Scenario
Challenge: Steel Mountain. Steel Mountain is a secure facility serving major corporations like E-Corp. We've infiltrated their network and planted our tool. Final step: Burn the tapes to destroy the data. All necessary info is in the files.
Memory Summary
Metadata
- Platform: HackTheBox Challenges
- Category: ICS
- Challenge: Steel-Mountain
- Difficulty: Medium
- Source workspace:
<local workspace>
Validated Solve Chain
Concepts only. Do not include raw flags, reusable credentials, tokens, cookies, private keys, or live secrets.
- Extracted instructions and blueprint identified the Tape Storage Room on
Level 2.
- Service mapping identified a dashboard on the first remote port and a custom
BACnet helper on the second remote port.
- The helper exposed object listing plus read/write commands for BACnet object
type, object ID, property, and value.
- Successful control sequence: raise Level 2 overheat alarm point, lock
<secret redacted>, sustain both elevator current/target floors away from Level 2,
and set Therm-L2 above the 32 C burn threshold so actual Temp-L2 remains
above 32 during the hold.
Reusable Lessons
- In simulator-style ICS challenges, distinguish a thermostat/setpoint from the
actual sensor value the validator may check.
- If a control value drifts back due to the simulator loop, solve by sustaining
the control during the validation window rather than writing it once.
- Raising the overheat alarm threshold can be required before deliberately
heating a level above the default alarm point.
Dead Ends
- One-shot elevator target writes failed because elevators drifted back to
Level 2.
- Sustained elevator denial with thermostat
32failed because actual
temperature dipped below the burn threshold.
- Direct
Temp-L2sensor write failed because the analog input was not
writable.
Tool Quirks
- A simple Python socket client was more reliable than batch
ncfor the custom
prompt timing.
- External BACnet packages were not needed because the challenge supplied a
custom helper menu.
Evidence Paths
analysis/nc-objects.txtanalysis/solve-probe.txtanalysis/mission-transcript.txtanalysis/mission-sustain-transcript.txtanalysis/mission-sensor-transcript.txtanalysis/mission-hot-transcript.txtsolve/solve.py
Ingestion Decision
- Proposed for LightRAG: yes, after user approval.
- Requires user approval before ingestion: yes
Hypothesis Board
Keep no more than 3 active hypotheses on Easy/Medium and 5 on Hard unless the user explicitly asks for breadth.
| Rank | Path | Evidence | Missing Proof | Cheapest Validation | Confidence | Status |
|---|---|---|---|---|---|---|
| 1 | initial triage from supplied challenge metadata | challenge name, category, difficulty, scenario, and remote target were provided by operator | inventory files / inspect app surface / map routes depending on category | Medium | Active | |
| 1 | Interact with the planted BACnet tool/menu over netcat to sequence Level Two controls, then read the dashboard for the flag. | Instructions.md says a tool is implanted in the BACnet network and reachable with netcat; blueprint places Tape Storage Room on Level Two; two remote ports are provided. | Nmap/service-identify both ports, then connect read-only with nc to identify which port is the dashboard and which is the tool before any mutation. | Medium | Active |
Closed Branches
| Branch | Evidence Tested | Failure Output | Reason Closed | Revisit Condition |
|---|---|---|---|---|
| one-shot mission write sequence | analysis/mission-transcript.txt | analysis/mission-transcript.txt | Door lock and Level 2 temperature reached the intended state without alarm, but the dashboard Message stayed empty; final transcript shows both elevators drifted/stopped at Level 2, so one-shot ELE target writes do not satisfy the elevator denial condition. | Use sustained elevator denial during the two-minute burn window, reasserting target/current floors away from Level 2 while keeping door locked, Level 2 at 32 C, and alarm threshold safely above burn temperature. |
| sustained elevator denial with thermostat-only temperature control | analysis/mission-sustain-transcript.txt | analysis/mission-sustain-transcript.txt | Door lock, elevator current/target floors, alarm threshold, and thermostat setpoint were sustained without alarm, but dashboard Message stayed empty. Transcript shows actual Temp-L2-20 dipped below 32 during the hold, so thermostat-only control likely does not satisfy the two-minute burn condition. | Sustain actual Temp-L2-20 at 32 alongside Therm-L2-21, while continuing sustained elevator denial and door lock. |
| sustained thermostat 32 with attempted sensor write | analysis/mission-sensor-transcript.txt | analysis/mission-sensor-transcript.txt | Temp-L2-20 analogInput is not writable, and with Therm-L2 set to 32 the actual sensor still dipped below 32 during the hold. Door/elevator/alarm controls remained valid but no dashboard Message appeared. | Use a thermostat setpoint above the burn threshold, with OHAP-L2 raised, so actual Temp-L2 remains continuously >=32 for the two-minute burn window. |
Memory Summary
approval_required: true
Sanitized Memory Summary
Metadata
- Platform: HackTheBox Challenges
- Category: ICS
- Challenge: Steel-Mountain
- Difficulty: Medium
- Source workspace:
<local workspace>
Validated Solve Chain
Concepts only. Do not include raw flags, reusable credentials, tokens, cookies, private keys, or live secrets.
- Extracted instructions and blueprint identified the Tape Storage Room on
Level 2.
- Service mapping identified a dashboard on the first remote port and a custom
BACnet helper on the second remote port.
- The helper exposed object listing plus read/write commands for BACnet object
type, object ID, property, and value.
- Successful control sequence: raise Level 2 overheat alarm point, lock
<secret redacted>, sustain both elevator current/target floors away from Level 2,
and set Therm-L2 above the 32 C burn threshold so actual Temp-L2 remains
above 32 during the hold.
Reusable Lessons
- In simulator-style ICS challenges, distinguish a thermostat/setpoint from the
actual sensor value the validator may check.
- If a control value drifts back due to the simulator loop, solve by sustaining
the control during the validation window rather than writing it once.
- Raising the overheat alarm threshold can be required before deliberately
heating a level above the default alarm point.
Dead Ends
- One-shot elevator target writes failed because elevators drifted back to
Level 2.
- Sustained elevator denial with thermostat
32failed because actual
temperature dipped below the burn threshold.
- Direct
Temp-L2sensor write failed because the analog input was not
writable.
Tool Quirks
- A simple Python socket client was more reliable than batch
ncfor the custom
prompt timing.
- External BACnet packages were not needed because the challenge supplied a
custom helper menu.
Evidence Paths
analysis/nc-objects.txtanalysis/solve-probe.txtanalysis/mission-transcript.txtanalysis/mission-sustain-transcript.txtanalysis/mission-sensor-transcript.txtanalysis/mission-hot-transcript.txtsolve/solve.py
Ingestion Decision
- Proposed for LightRAG: yes, after user approval.
- Requires user approval before ingestion: yes
Notes
Notes
Scope
- Challenge: Steel-Mountain
- Category: ICS
- Difficulty: Medium
- Mode: hybrid
- Remote instance: <TARGET>:30108,<TARGET>:32580
- Start time: 2026-06-11T06:08:20Z
- Operator: harness
- State file:
challenge-state.json
Harness Status
- Current phase: see
challenge-state.json - Next allowed actions: see
next-action.json - Raw flags and sensitive material stay in
loot/only. Do not paste them here.
Artifact Inventory
| File | Size | SHA256 | Type | Notes |
|---|---|---|---|---|
files/a12c735e-5f7c-429e-812d-0933ec081f76.zip | 83527 | <hash redacted> | Zip archive data, at least v1.0 to extract, compression method=store | zip entries: 3 shown in artifact inventory JSON |
Evidence Ledger
| Time | Action | Output/File | Finding | Confidence | Next |
|---|---|---|---|---|---|
| 2026-06-11T06:08:20Z | harness init | challenge-state.json | Workspace initialized with deterministic state file | High | Inventory artifacts |
| 2026-06-11T06:08:20Z | artifact inventory | analysis/artifact-inventory.json | 1 artifact(s) inventoried | High | Build or update hypotheses |
| 2026-06-11T06:08:20Z | session bootstrap | notes.md | Challenge metadata, scenario, and prior context seeded into workspace | High | Record initial hypothesis and research |
| 2026-06-11T06:08:20Z | hypothesis recorded | hypothesis-board.md | initial triage from supplied challenge metadata | Medium | inventory files / inspect app surface / map routes depending on category |
| 2026-06-11T06:08:20Z | research task | analysis/research/task-20260611T060820936111Z-1880d6b4.md | Research task created for advisory investigation | Medium | Record research output |
| 2026-06-11T06:09:14Z | checkpoint recorded | analysis/checkpoint-analysis-20260611T060914414768Z-8bb49e8a.md | Checkpoint for ANALYSIS | High | Use checkpoint to drive next decision |
| 2026-06-11T06: <REDACTED>, then read the dashboard for the flag. | Medium | Nmap/service-identify both ports, then connect read-only with nc to identify which port is the dashboard and which is the tool before any mutation. | |||
| 2026-06-11T06:10:31Z | source audit | analysis/source-audit.md | Source audit recorded | High | Gate before exploit |
| 2026-06-11T06:10:52Z | RAG query | analysis/rag/rag-query-20260611T061033283496Z-3d12691d.txt | RAG helper exited 0; output saved | Medium | Record retrieval tag and validation |
| 2026-06-11T06:11:40Z | RAG record | analysis/rag-records.md | Retrieved memory tagged GENERIC | Medium | Validate or reject with live evidence |
| 2026-06-11T06:11:55Z | instrumentation plan | analysis/instrumentation-plan.md | Identify the dashboard and planted BACnet/netcat tool ports, map the command protocol, then perform the exact Level Two mission sequence without triggering alarm resets. | High | Stop if the service shows an alarm/reset, if prompts are ambiguous, or after two failed command sequences without a new state fact; record failure and refresh hypothesis instead of blind probing. |
| 2026-06-11T06:12:54Z | local memory record | analysis/local-memory-records.md | Prior local notes reviewed as fallback/advisory context | Medium | Validate against current evidence |
| 2026-06-11T06:13:08Z | evaluator | analysis/evaluator-20260611T061308235567Z-eda10063.md | Proceed | High | Use challenge_exec for nmap/curl/nc read-only probes and save transcripts before any state-changing sequence. |
| 2026-06-11T06:14:01Z | checkpoint recorded | analysis/checkpoint-analysis-20260611T061401525835Z-6ed79ce2.md | Checkpoint for ANALYSIS | High | Use checkpoint to drive next decision |
| 2026-06-11T06:19:01Z | checkpoint recorded | analysis/checkpoint-analysis-20260611T061901215883Z-99dcc057.md | Checkpoint for ANALYSIS | High | Use checkpoint to drive next decision |
| 2026-06-11T06: <REDACTED> | |||||
| 2026-06-11T06:22:33Z | branch closed | hypothesis-board.md | Door lock and Level 2 temperature reached the intended state without alarm, but the dashboard Message stayed empty; final transcript shows both elevators drifted/stopped at Level 2, so one-shot ELE target writes do not satisfy the elevator denial condition. | High | Rerank hypotheses |
| 2026-06-11T06:26:42Z | branch closed | hypothesis-board.md | Door lock, elevator current/target floors, alarm threshold, and thermostat setpoint were sustained without alarm, but dashboard Message stayed empty. Transcript shows actual Temp-L2-20 dipped below 32 during the hold, so thermostat-only control likely does not satisfy the two-minute burn condition. | High | Rerank hypotheses |
| 2026-06-11T06:26:42Z | checkpoint recorded | analysis/checkpoint-analysis-20260611T062642616755Z-f70428fe.md | Checkpoint for ANALYSIS | High | Use checkpoint to drive next decision |
| 2026-06-11T06:26:42Z | evaluator | analysis/evaluator-20260611T062642667155Z-378fac53.md | Proceed | High | Patch solver to sustain Temp-L2-20 and run one bounded mission attempt through challenge_exec. |
| 2026-06-11T06:30:48Z | branch closed | hypothesis-board.md | Temp-L2-20 analogInput is not writable, and with Therm-L2 set to 32 the actual sensor still dipped below 32 during the hold. Door/elevator/alarm controls remained valid but no dashboard Message appeared. | High | Rerank hypotheses |
| 2026-06-11T06:30:48Z | checkpoint recorded | analysis/checkpoint-analysis-20260611T063048840886Z-62025272.md | Checkpoint for ANALYSIS | High | Use checkpoint to drive next decision |
| 2026-06-11T06:30:48Z | evaluator | analysis/evaluator-20260611T063048891384Z-ac9286af.md | Proceed | High | Run high-setpoint mission attempt through challenge_exec. |
| 2026-06-11T06: <REDACTED> | |||||
| 2026-06-11T06:36:35Z | completion gate | challenge-state.json | Completion gate passed; state marked COMPLETE | High | Optional sanitized memory summary approval |
Key Findings
-
RAG / Advisory Memory
RAG output is advisory only. Record evaluated retrievals with:
scripts/challenge_harness.py rag-record <workspace> --query "..." --tag MATCHED|PARTIAL|MISSING|<secret redacted>|GENERIC --validation "..."Secrets/Flags
Raw flags and sensitive material stay in loot/ only. Use scripts/challenge_harness.py capture-flag to validate and record flag capture without printing the value.
Scenario
Challenge: Steel Mountain. Steel Mountain is a secure facility serving major corporations like E-Corp. We've infiltrated their network and planted our tool. Final step: Burn the tapes to destroy the data. All necessary info is in the files.
Technical analogy
How to remember this solve
Think of the industrial system like a control-room checklist. You map the inputs, outputs, and assumptions, then find the one control path that accepts a state it should have rejected.
For Steel Mountain, keep the mental model simple: identify the trusted assumption, prove it with the smallest safe test, then automate or repeat only the part that directly leads to the flag.