Exation

Technical Walkthrough

Writeup

Challenge

• Name: Exation
• Category: Reversing
• Difficulty: Easy
• Mode: file

Summary

Exation is a packed Linux reversing challenge. The provided executable is UPX-packed and stripped of section headers, which makes the original file noisy under strings and disassembly. After unpacking it with UPX, the binary exposes C++ symbols and the password check is straightforward: every input character is shifted left by four bits, converted to decimal text, and compared against a stored decimal string.

Artifact Inventory

Relevant artifacts:

• files/a12c73b2-b72a-4f35-994b-447540ce62d6.zip: original HTB archive.
• analysis/extracted/exatlon_v1: packed executable.
• analysis/unpacked/exatlon_v1.unpacked: UPX-unpacked executable.
• analysis/unpacked/exatlon-function.txt: focused disassembly of the transform routine.
• analysis/unpacked/main-function.txt: focused disassembly of the input and compare routine.
• solve/solve.py: reproducible flag recovery script.

Analysis

The initial file output identified a static Linux ELF with no section headers. Entropy was high and the binary header contained a UPX! marker, so the first useful step was unpacking:

upx -d -o analysis/unpacked/exatlon_v1.unpacked analysis/extracted/exatlon_v1

The unpacked binary is not stripped. nm -C identifies two important symbols:

• exatlon(std::string const&)
• main

The exatlon() routine iterates over the supplied password string. For each character, it:

1. loads the character,
2. shifts its signed integer value left by four bits,
3. converts that integer to decimal text with std::to_string,
4. appends a single space.

In pseudocode:

def exatlon(password):
    out = ""
    for char in password: <redacted> += str(ord(char) << 4) + " "
    return out

main reads a password, calls exatlon(password), and compares the returned string to a decimal-number constant. Reversing the constant is therefore just tokenizing it and dividing each value by 16. The decoded password is already in HTB flag format.

Solve

Run:

python3 Reversing/Exation/solve/solve.py \
  --flag-out Reversing/Exation/loot/flag-candidate.txt

Then capture it with the harness:

python3 scripts/challenge_harness.py capture-flag Reversing/Exation --from loot/flag-candidate.txt

The solver reads the unpacked ELF, finds the long decimal-token constant, divides each token by 16, validates the result as an HTB-format flag, and writes the recovered value to the requested output path.

Flag

Raw flag is stored in loot/flag.txt and intentionally not reproduced here.

Lessons

• Check for packing before spending time on noisy disassembly. The UPX! marker and high entropy were the fastest path to clarity.
• UPX-unpacked binaries may recover symbols even when the packed input has no section headers.
• When a password check converts input to a numeric representation, reversing the constant can be easier than running the binary.

Source-Backed Dossier

The sections below are merged from companion Markdown notes for the same case. They are rendered after sanitization so the article stays precise without publishing raw flags, credentials, or target-specific secrets.

Notes

Scope

• Challenge: Exation
• Category: Reversing
• Difficulty: Easy
• Mode: file
• Remote instance: none
• Start time: 2026-06-10T12:51:57Z
• Operator: harness
• State file: challenge-state.json

Harness Status

• Current phase: see challenge-state.json
• Next allowed actions: see next-action.json
• Raw flags and sensitive material stay in loot/ only. Do not paste them here.

Artifact Inventory

Evidence Ledger

Key Findings

• The archive contains one Linux x86-64 executable: exatlon_v1.
• The original executable is UPX-packed, statically linked, and section-stripped.
• upx -d successfully unpacked it to analysis/unpacked/exatlon_v1.unpacked.
• The unpacked binary is statically linked but not stripped, exposing exatlon(std::string const&) and main.
• exatlon() initializes an output string, then for each input character appends std::to_string(ord(char) << 4) followed by a space.
• main compares that transformed input against a decimal-number string constant at the success branch.
• Dividing each decimal token by 16 reconstructs the password, which is itself an HTB-format flag.
• solve/solve.py extracts the numeric constant from the unpacked binary and writes the recovered flag candidate to loot/.

RAG / Advisory Memory

RAG output is advisory only. Record evaluated retrievals with:

scripts/challenge_harness.py rag-record <workspace> --query "..." --tag MATCHED|PARTIAL|MISSING|<secret redacted>|GENERIC --validation "..."

Secrets/Flags

Raw flags and sensitive material stay in loot/ only. Use scripts/challenge_harness.py capture-flag to validate and record flag capture without printing the value.

Memory Summary

Metadata

• Platform: HackTheBox Challenges
• Category: Reversing
• Challenge: Exation
• Difficulty: Easy
• Source workspace: <local workspace>

Validated Solve Chain

Concepts only. Do not include raw flags, reusable credentials, tokens, cookies, private keys, or live secrets.

1. Extract the challenge archive and identify the single Linux x86-64 executable.
2. Detect UPX packing from the UPX! marker and high entropy.
3. Unpack with upx -d into a separate analysis copy.
4. Use the recovered C++ symbols to inspect exatlon(std::string const&) and main.
5. Identify the transform: for each input character, compute ord(char) << 4, convert to decimal, and append a space.
6. Decode the stored decimal-token target by dividing each token by 16 and converting back to characters.
7. The decoded password is already an HTB-format flag.

Reusable Lessons

• For stripped/no-section ELF reversing challenges, check for UPX before treating disassembly noise as intentional obfuscation.
• A long decimal-token compare constant often represents transformed input and can be inverted without dynamic execution.
• Preserve the packed original and unpack into analysis/unpacked/.

Dead Ends

• Direct strings/disassembly on the packed binary gave only noisy/interleaved prompt fragments and was not sufficient.

Tool Quirks

• upx was installed via Homebrew during the solve.
• The packed file had no section headers, but the UPX-unpacked copy restored useful symbols.

Evidence Paths

• analysis/extracted/exatlon_v1
• analysis/unpacked/exatlon_v1.unpacked
• analysis/unpacked/upx-unpack.txt
• analysis/unpacked/exatlon-function.txt
• analysis/unpacked/main-function.txt
• solve/solve.py
• loot/flag.txt

Ingestion Decision

• Proposed for LightRAG: yes
• Requires user approval before ingestion: yes

Hypothesis Board

Keep no more than 3 active hypotheses on Easy/Medium and 5 on Hard unless the user explicitly asks for breadth.

Closed Branches

Memory Summary

approval_required: true

Sanitized Memory Summary

Metadata

• Platform: HackTheBox Challenges
• Category: Reversing
• Challenge: Exation
• Difficulty: Easy
• Source workspace: <local workspace>

Validated Solve Chain

Concepts only. Do not include raw flags, reusable credentials, tokens, cookies, private keys, or live secrets.

1. Extract the challenge archive and identify the single Linux x86-64 executable.
2. Detect UPX packing from the UPX! marker and high entropy.
3. Unpack with upx -d into a separate analysis copy.
4. Use the recovered C++ symbols to inspect exatlon(std::string const&) and main.
5. Identify the transform: for each input character, compute ord(char) << 4, convert to decimal, and append a space.
6. Decode the stored decimal-token target by dividing each token by 16 and converting back to characters.
7. The decoded password is already an HTB-format flag.

Reusable Lessons

• For stripped/no-section ELF reversing challenges, check for UPX before treating disassembly noise as intentional obfuscation.
• A long decimal-token compare constant often represents transformed input and can be inverted without dynamic execution.
• Preserve the packed original and unpack into analysis/unpacked/.

Dead Ends

• Direct strings/disassembly on the packed binary gave only noisy/interleaved prompt fragments and was not sufficient.

Tool Quirks

• upx was installed via Homebrew during the solve.
• The packed file had no section headers, but the UPX-unpacked copy restored useful symbols.

Evidence Paths

• analysis/extracted/exatlon_v1
• analysis/unpacked/exatlon_v1.unpacked
• analysis/unpacked/upx-unpack.txt
• analysis/unpacked/exatlon-function.txt
• analysis/unpacked/main-function.txt
• solve/solve.py
• loot/flag.txt

Ingestion Decision

• Proposed for LightRAG: yes
• Requires user approval before ingestion: yes

Notes

Notes

Scope

• Challenge: Exation
• Category: Reversing
• Difficulty: Easy
• Mode: file
• Remote instance: none
• Start time: 2026-06-10T12:51:57Z
• Operator: harness
• State file: challenge-state.json

Harness Status

• Current phase: see challenge-state.json
• Next allowed actions: see next-action.json
• Raw flags and sensitive material stay in loot/ only. Do not paste them here.

Artifact Inventory

Evidence Ledger

Key Findings

• The archive contains one Linux x86-64 executable: exatlon_v1.
• The original executable is UPX-packed, statically linked, and section-stripped.
• upx -d successfully unpacked it to analysis/unpacked/exatlon_v1.unpacked.
• The unpacked binary is statically linked but not stripped, exposing exatlon(std::string const&) and main.
• exatlon() initializes an output string, then for each input character appends std::to_string(ord(char) << 4) followed by a space.
• main compares that transformed input against a decimal-number string constant at the success branch.
• Dividing each decimal token by 16 reconstructs the password, which is itself an HTB-format flag.
• solve/solve.py extracts the numeric constant from the unpacked binary and writes the recovered flag candidate to loot/.

RAG / Advisory Memory

RAG output is advisory only. Record evaluated retrievals with:

scripts/challenge_harness.py rag-record <workspace> --query "..." --tag MATCHED|PARTIAL|MISSING|<secret redacted>|GENERIC --validation "..."

Secrets/Flags

Raw flags and sensitive material stay in loot/ only. Use scripts/challenge_harness.py capture-flag to validate and record flag capture without printing the value.