Blkhurst

March 01 2025

BLK_BOX_2

BLK_BOX_2 was a cybersecurity challenge created by HMGCC. The challenge covered a wide range of topics, including decoding, RF analysis, reverse engineering, binary patching, constraint solving, and exploitation techniques including buffer overflows, integer wrapping, and race conditions.

I originally started BLK_BOX_2 in 2022, but revisited it over the following years with new approaches to try. I eventually solved all stages and placed second under the pseudonym Designated. Across both challenges, 184 participants reached the first stage of BLK_BOX_1, and only six completed both challenges.

BLK_BOX 2 leaderboard

Contents

Stage 1 · Area 1DecodingAn introductory decoding challenge containing three variations of the same hidden message, encoded using token substitution, binary conversion, and Manchester encoding.
Stage 2 · Area 1RetroDemodulated a retro FSK audio signal into a Commodore 64 PRG, reversed the 6502 guessing game, and crafted a buffer overflow input to force a guaranteed first-move win.
Stage 2 · Area 2OxyBufferReversed a sabotaged three-program oxygen pipeline to identify five modified bytes out of 13,344 bytes, then patched the binary to restore IPC-to-UDP communication and reach 100%.
Stage 2 · Area 3RF Capture #1Demodulated a 315MHz ASK/OOK RF capture in Inspectrum, before rebuilding the same signal-processing chain in GNU Radio to better understand the DSP pipeline.
Stage 2 · Area 4Z3 Theorem SolverModelled a 100-step movement hash as a Z3 constraint problem, reproducing C integer behaviour to recover valid paths without brute forcing 4^100 possibilities.
Stage 2 · Area 5Reverse & ExploreReversed a stripped 32-bit ELF binary and crafted a stack buffer overflow payload to overwrite the saved return address and jump into a hidden function.
Stage 2 · Area 6Data Type WrappingSolved an impossible-looking fuel-mix equation by identifying a 64-bit unsigned input in assembly, then using modular arithmetic to find the input that wraps to the required value.
Stage 3 · Area 1RF Capture #2Built GNU Radio flowgraphs to identify and demodulate multiple modulation schemes from a multi-signal RF capture, separating decoy transmissions from the final key-bearing signal.
Stage 3 · Area 2Reverse Reverse ReverseReversed a three-stage challenge spanning a Java archive, obfuscated Python script, and ELF binary, bypassing environment checks while preserving the values required for the final flag generation.
Stage 4 · Area 1Race ConditionsReversed a sabotaged shared library to recover the required launch-state sequence, then exploited a TOCTOU race condition to bypass the forced error path and recover the kick-start engine value.