Escape Room

Challenge

Imported from local notes.md.

Solution

Original Notes

Challenge Summary

Given a static, non-stripped 64-bit ELF called escaperoom, recover the correct room configuration and override token to obtain a flag in the format CIT{...}.

Initial Recon / Triage

• file showed a statically linked ELF64 executable with symbols preserved.
• Running the binary exposed a menu-driven terminal with mutable room state and a hidden maintenance shell.
• Embedded strings immediately revealed several constraints:
  • Lights must be OFF.
  • East bypass is the valid vent route.
  • Camera bus must be 3 / mirror relay.
  • Door patch must be applied exactly twice.
  • Battery bridge must be engaged.
  • Maintenance shell order is mirror then hush.

Hypotheses & Approach

• First, satisfy the visible room-state constraints and use the maintenance shell to unlock deeper inspection output.
• Then, reverse the preserved helper functions rather than brute-force the token.
• The useful functions from the symbol table were:
  • _ZL11roomAlignedv
  • _ZL13roomSignaturev
  • _ZL18buildOverrideTokenv
  • _ZL18enterOverrideTokenv

Execution Steps (Reproducible)

Stage 1: Basic triage

cd /root/cit2026CTF/Escape_Room
file starting_files/escaperoom
checksec --file=starting_files/escaperoom
strings -a -n 3 starting_files/escaperoom | egrep '\[.*\]|override token>|ACCESS_DENIED|maintenance shell'

Relevant clues from strings:

• [maint/11] East bypass keeps enough pressure in the service hatch to avoid feedback.
• [cam/03] Camera bus 3 loses sight of the mirror relay for 4.2 seconds each sweep.
• [patch/02] Apply the door patch twice. The third write trips watchdog.
• [power/06] Bridge emergency battery before maintenance work or the speaker amp browns out.
• [svc/01] Mirror first. Then hush.

Stage 2: Reach the aligned room state

Interactive sequence:

2          # lights OFF
3          # vent -> east bypass
4 4 4      # camera -> bus 3 / mirror relay
5 5        # patch count = 2
6          # battery bridge engaged
7          # maintenance shell
mirror
hush
decode
back

This satisfies the alignment check used by _ZL11roomAlignedv.

Stage 3: Reverse the token builder

The preserved symbols showed the token is derived from _ZL13roomSignaturev and _ZL18buildOverrideTokenv.

roomAligned checks the following state:

• lights OFF
• vent route 1 (east bypass)
• camera bus 3
• patch count 2
• battery bridge enabled
• inspection mode enabled
• alarm speaker muted

roomSignature computes a 32-bit state signature from those fields. buildOverrideToken then:

• xors the signature with 0x6f70656e ("open")
• iterates over 10 constants from 0x579e60
• maps the top 5 bits each round into the alphabet ABCDEFGHJKLMNPQRSTUVWXYZ23456789
• inserts hyphens after positions 3 and 6

I extracted the constant table and alphabet with:

gdb -q -batch \
	-ex 'file starting_files/escaperoom' \
	-ex 'x/10wx 0x579e60' \
	-ex 'x/s 0x579e88'

Results:

0x579e60: 0x13 0x37 0xc0de 0xbeef 0x5a 0xace 0x4242 0x900d 0x1234 0x777
0x579e88: "ABCDEFGHJKLMNPQRSTUVWXYZ23456789"

The recovery script is saved as artifacts/recover_token.py.

Run it with:

python3 artifacts/recover_token.py

It prints:

RHY-QVT-KAXJ

Stage 4: Submit the token

With the room aligned, submit the recovered token:

8
RHY-QVT-KAXJ

Program output:

override token> `CIT{Vc282vlhCxIJ}`

Artifacts Produced

• artifacts/recover_token.py - standalone token reconstruction script.

Flag

CIT{Vc282vlhCxIJ}

Escape_Room

Challenge Summary

• Given:
• Goal:
• Constraints:

Initial Recon / Triage

• Observations:
• File identification:
• Entry points:

Hypotheses & Approach

• Hypothesis 1:
• Hypothesis 2:

Execution Steps (Reproducible)

Stage 1

Commands:

# commands here

Results:

Stage 2

Commands:

# commands here

Results:

Artifacts Produced

• artifacts/

Flag

flag_here