Introduction
HackTheBox Computational Recruiting challenge involves a typical cryptography and pattern analysis problem. The goal is to reverse-engineer or analyze a given computational process in order to extract a hidden flag.
HackTheBox Computational Recruiting | Challenge Description
Not too long ago, your cyborg detective friend John Love told you he heard some strange rumours from some folks in the Establishment that he’s searching into. They talked about the possible discovery of a new vault, vault 79, which might hold a big reserve of gold. Hearing of these news, youband your fellow compatriots slowly realized that with that gold reserver you could accomplish your dreams of reviving the currency of old times, and help modern civilization flourish once more. Looking at the potential location of the vault however, you begin to understand that this will be no easy task. Your team by itself is not enough. You will need some new recruitments. Now, standing in the center of Gigatron, talking and inspiring potential recruits, you have collected a big list of candidates based on skills you believe are needed for this quest. How can you decide however which ones are truly worthy of joining you?
Blue Team Cyber Security & SOC Analyst Study Notes
Methodology
Download any provided files and analyze the script or binary. This could be a Python script, C code, or even assembly instructions. You need to figure out what the program does with inputs. Typical operations to look for:
- String manipulations
- Mathematical transformations
- Encoding or encryption routines (e.g., base64, Caesar cipher, etc.)
Code Analysis
If it’s a compiled binary: Use tools like Ghidra, IDA Pro, or radare2 to disassemble and analyze the binary.
If it’s a script: Read through the code to understand the logic. Look for operations like shifts, bitwise operations, or loops that manipulate data.
Find where and how the input is transformed into the output.
Look for loops, recursive functions, or operations that involve mathematical constants.
Understand whether it’s an encryption scheme, a hash function, or simple string manipulations.
Once you’ve identified how the program transforms input, you can:
- Write a reverse algorithm if the process is reversible.
- If it uses encryption or hashing, analyze whether it’s crackable (for example, if it uses a weak cipher or predictable patterns).
Walkthrough
We have a file with various data, apparently related to individuals, showing their scores in different categories, each ranging from 1 to 10, similar to a game format.
============ ============== ======== ========= ========== =========== ======== =================
First Name Last Name Health Agility Charisma Knowledge Energy Resourcefulness
============ ============== ======== ========= ========== =========== ======== =================
Alis Reeson 2 5 5 8 7 10
Gerri Bielfelt 8 9 3 8 5 9
Wolfie Appleby 5 1 2 7 2 1
Krishnah Minker 1 7 7 10 6 5
We’ll use a regex to extract all the values we need from the file, apply the formulas to calculate the scores, then sort the data by the highest scores. Finally, we’ll format the data according to the server’s requirements.
if __name__ == '__main__':
pattern = r"^\s*([A-Za-z]+)\s+([A-Za-z]+)\s+(\d+)\s+(\d+)\s+(\d+)\s+(\d+)\s+(\d+)\s+(\d+)\s*$"
ip = '127.0.0.1'
port = 1337
io = remote(ip, port)
pwn()
def get_candidates():
candidates = []
with open('data.txt', 'r') as f:
lines = f.readlines()
for line in lines:
match = re.search(pattern, line)
if match:
candidates.append(match.groups())
return candidates
Here are the operations applied to each candidate to calculate their overall score:
def calculate_values(candidates):
data = []
for candidate in candidates:
first_name, last_name, h_skill, a_skill, c_skill, k_skill, e_skill, r_skill = candidate
name = first_name + ' ' + last_name
health = round(6 * (int(h_skill) * 0.2)) + 10
agility = round(6 * (int(a_skill) * 0.3)) + 10
charisma = round(6 * (int(c_skill) * 0.1)) + 10
knowledge = round(6 * (int(k_skill) * 0.05)) + 10
energy = round(6 * (int(e_skill) * 0.05)) + 10
resourcefulness = round(6 * (int(r_skill) * 0.3)) + 10
value = round(5 * ((health * 0.18) + (agility * 0.20) + (charisma * 0.21) + (knowledge * 0.08) + (energy * 0.17) + (resourcefulness * 0.16)))
data.append([name, value])
return data
The players will be sorted by their values using a Python function. We’ll then select the top 14 players and begin adding them to our solution string.
def sort_players(data):
data = sorted(data, key=lambda l:l[1], reverse=True)
out = ''
for recruit in data[:13]:
out += f'{recruit[0]} - {recruit[1]}, '
out += f'{data[13][0]} - {data[13][1]}'
return out
And then we can create the below function to retrieve the flag:
def get_flag(sol_str):
io.recvuntil(b'> ')
io.sendline(sol_str.encode())
io.recvuntil(b'HTB{')
return b'HTB{' + io.recvline().rstrip()
Tools and Techniques that can be used to solve the challenge
- GDB (GNU Debugger): If you need to step through a binary and observe its behavior.
- Ghidra/IDA Pro: For analyzing compiled binaries.
- CyberChef: A versatile tool for encoding, decoding, and analyzing transformations.
- Python: Write scripts to reverse the challenge logic or perform brute-force attacks if necessary.
You can also watch: