SpookyPass
Single ELF 64-bit binary (pass), not stripped, dynamically linked. 1. strings reveals a hardcoded comparison string; the challenge-specific value is redacted from state docs. 2. Disassembly of main shows: - Prompts for password via
Scenario
SpookyPass attack path
Single ELF 64-bit binary (pass), not stripped, dynamically linked. 1. strings reveals a hardcoded comparison string; the challenge-specific value is redacted from state docs. 2. Disassembly of main shows: - Prompts for credential via
Objective
Challenge walkthrough focused on Challenges evidence, validation, and reusable operator lessons.
Walkthrough flow
Artifact review
Hypothesis
Validated solve path
Proof captured
Source coverage
Moderate source coverage
Status: partial. This article is generated from 4 sanitized Markdown sources and keeps raw flags, credentials, keys, cookies, and reusable secrets out of the rendered blog.
Moderate confidence: the page is useful for review, but it should be treated as partial because the available source material is thinner or less narrative-complete.
- Challenges/Reversing/SpookyPass/writeup.md
- htb-challenge/Challenges/Reversing/SpookyPass/notes.md
- htb-challenge/Challenges/Reversing/SpookyPass/memory-summary.md
- htb-challenge/Challenges/Reversing/SpookyPass/hypothesis-board.md
Technical Walkthrough
SpookyPass - Writeup
Challenge Info
- Name: SpookyPass
- Category: Reversing
- Difficulty: Very Easy
- Flag:
<flag stored in loot/flag.txt>
Approach
Triage
Single ELF 64-bit binary (pass), not stripped, dynamically linked.
Analysis
stringsreveals a hardcoded comparison string; the challenge-specific value is redacted from state docs.- Disassembly of
mainshows:
- Prompts for password via fgets
- Strips newline with strchr
- Compares input to hardcoded string via strcmp
- On match: loops 0-25, reads int32 values from global parts array, takes low byte of each, builds a string, prints it (the flag)
- On mismatch: prints rejection message
Solve
Extracted the parts array (26 x int32 at virtual address 0x4060) directly from the binary using Python struct parsing. Low byte of each int32 produces one character of the flag.
import struct
with open('pass', 'rb') as f:
elf = f.read()
# parts is at VA 0x4060, file offset derived from LOAD segment
# Each entry is a 4-byte int, take low byte as ASCII char
# Result: <flag stored in loot/flag.txt>Key Insight
The flag is never stored as a string — it's built at runtime from an integer array. strings won't find it directly. But the password IS in plaintext, and the construction logic is trivial to reverse statically.
Time: ~3 minutes
Source-Backed Dossier
The sections below are merged from companion Markdown notes for the same case. They are rendered after sanitization so the article stays precise without publishing raw flags, credentials, or target-specific secrets.
Notes
Scope
- Challenge: SpookyPass
- Category: Reversing
- Difficulty: Very Easy
- Started: 2026-05-06
File Inventory
| File | Type | Size | SHA256 |
|---|---|---|---|
| pass | ELF 64-bit LSB PIE, x86-64, not stripped | - | <hash redacted> |
Evidence Ledger
| Timestamp | Action | Finding | Next |
|---|---|---|---|
| 00:00 | file pass | ELF 64-bit, dynamically linked, not stripped | strings |
| 00:01 | strings pass | Hardcoded comparison value redacted, parts symbol | disassemble |
| 00:02 | objdump -d pass (main) | strcmp gate, then loop builds flag from parts[0..25] (int32 array -> char) | extract parts |
| 00:03 | Python struct parse of parts array at 0x4060 | Flag: <flag stored in loot/flag.txt> | done |
Solution
- Binary asks for an input string and compares it with
strcmpagainst a redacted challenge value. - On success, constructs flag from 26 int32 values in
partsarray, prints it - Flag extracted statically by reading the
partsdata from the ELF at virtual address 0x4060
Memory Summary
Metadata
- Platform: HackTheBox Challenges
- Category:
- Challenge:
- Difficulty:
- Source workspace:
Validated Solve Chain
Concepts only. Do not include raw flags, reusable credentials, tokens, cookies, private keys, or live secrets.
1.
Reusable Lessons
-
Dead Ends
-
Tool Quirks
-
Evidence Paths
-
Ingestion Decision
- Proposed for LightRAG: yes/no
- Requires user approval before ingestion: yes
Hypothesis Board
| Rank | Path | Evidence | Missing Proof | Cheapest Validation | Confidence | Status |
|---|
Closed Branches
| Branch | Evidence Tested | Failure Output | Reason Closed | Revisit Condition |
|---|
Technical analogy
How to remember this solve
Think of the challenge as a small system with one rule that matters more than the rest. The solve is finding that rule, validating it, and using it carefully enough to reach the final proof.
For SpookyPass, keep the mental model simple: identify the trusted assumption, prove it with the smallest safe test, then automate or repeat only the part that directly leads to the flag.