{"id":1928,"date":"2025-09-26T15:19:17","date_gmt":"2025-09-26T19:19:17","guid":{"rendered":"https:\/\/www.peteonsoftware.com\/?p=1928"},"modified":"2025-09-26T15:19:17","modified_gmt":"2025-09-26T19:19:17","slug":"hack-the-box-walkthrough-spookypass","status":"publish","type":"post","link":"https:\/\/www.peteonsoftware.com\/index.php\/2025\/09\/26\/hack-the-box-walkthrough-spookypass\/","title":{"rendered":"Hack The Box Walkthrough: SpookyPass"},"content":{"rendered":"

\"AToday’s challenge is a very easy challenge from Hack the Box. You can find it here<\/a>. There is no machine to start up, you just download the required files for the challenge. You’ll get a .zip file and the password they provide you is hackthebox<\/em>. <\/p>\n

\r\n(kali@vici)-[~\/htb\/spookypass]\r\n$ unzip SpookyPass.zip                                                      \r\nArchive:  SpookyPass.zip\r\n   creating: rev_spookypass\/\r\n[SpookyPass.zip] rev_spookypass\/pass password: \r\n  inflating: rev_spookypass\/pass    \r\n<\/pre>\n
After unzipping it, we see that it unzipped a directory called rev_spookypass<\/em> and that directory has a single file in it called pass<\/em>.  When we run the file<\/em> command on pass<\/em>, we see that is an executable and that it is not stripped.  <\/p>\n
\r\n(kali@vici)-[~\/htb\/spookypass]\r\n$ ls\r\nrev_spookypass  SpookyPass.zip\r\n                                                                                                                                                        \r\n(kali@vici)-[~\/htb\/spookypass]\r\n$ cd rev_spookypass && ls\r\npass\r\n\r\n(kali@vici)-[~\/htb\/spookypass\/rev_spookypass]\r\n$ file pass     \r\npass: ELF 64-bit LSB pie executable, x86-64, version 1 (SYSV), dynamically linked, interpreter \/lib64\/ld-linux-x86-64.so.2, BuildID[sha1]=3008217772cc2426c643d69b80a96c715490dd91, for GNU\/Linux 4.4.0, not stripped\r\n<\/pre>\n
Since this is Hack the Box, we can be a little less cautious.  However, if you find an executable in the wild, don’t just run it.  The better play is to get it into a sandbox and run it there so that it can’t do any damage to your machine or VM on the chance that it is malicious.  Warnings aside, here we go..<\/p>\n
\r\n(kali@vici)-[~\/htb\/spookypass\/rev_spookypass]\r\n$ .\/pass                                         \r\nWelcome to the SPOOKIEST party of the year.\r\nBefore we let you in, you'll need to give us the password: hackthebox\r\nYou're not a real ghost; clear off!\r\n<\/pre>\n
Okay.  So, we need a password.  The file<\/em> command said that this binary executable is not stripped.  What does that even mean?  That means that the binary still contains its symbol table and possibly debugging information. The result is that:<\/p>\n
    \n
  • Function names, variable names, and other symbols are still embedded inside.<\/li>\n
  • It’s larger in size than a stripped binary.<\/li>\n
  • It’s easier to debug or reverse engineer (e.g., using gdb, objdump, or strings).<\/li>\n<\/ul>\n
    Okay, so now we are talking about some good stuff.  Since this wants a password and it is checking, it is possible that the password is inside, unobfuscated, and accessible through some simple methods.  I’m going to try strings<\/em> first.  What is strings<\/em>?  This description is from the man pages for strings.<\/p>\n
    \r\nDESCRIPTION\r\nFor each file given, GNU strings prints the printable character sequences that are at \r\nleast 4 characters long (or the number given with the options below) and are followed \r\nby an unprintable character.\r\n\r\nDepending upon how the strings program was configured it will default to either \r\ndisplaying all the printable sequences that it can find in each file, or only those \r\nsequences that are in loadable, initialized data sections.  If the file type is \r\nunrecognizable, or if strings is reading from stdin then it will always display all of \r\nthe printable sequences that it can find.\r\n\r\nFor backwards compatibility any file that occurs after a command-line option of just - \r\nwill also be scanned in full, regardless of the presence of any -d option.\r\n\r\nstrings is mainly useful for determining the contents of non-text files.\r\n<\/pre>\n
    What does that get us?<\/p>\n
    \r\n(kali@vici)-[~\/htb\/spookypass\/rev_spookypass]\r\n$ strings pass                                          \r\n\/lib64\/ld-linux-x86-64.so.2\r\nfgets\r\nstdin\r\nputs\r\n__stack_chk_fail\r\n__libc_start_main\r\n__cxa_finalize\r\nstrchr\r\nprintf\r\nstrcmp\r\nlibc.so.6\r\nGLIBC_2.4\r\nGLIBC_2.2.5\r\nGLIBC_2.34\r\n_ITM_deregisterTMCloneTable\r\n__gmon_start__\r\n_ITM_registerTMCloneTable\r\nPTE1\r\nu3UH\r\nWelcome to the \r\n[1;3mSPOOKIEST\r\n[0m party of the year.\r\nBefore we let you in, you'll need to give us the password: \r\ns3cr3t_p455_f0r_gh05t5_4nd_gh0ul5\r\nWelcome inside!\r\nYou're not a real ghost; clear off!\r\n;*3$\"\r\nGCC: (GNU) 14.2.1 20240805\r\nGCC: (GNU) 14.2.1 20240910\r\nmain.c\r\n_DYNAMIC\r\n__GNU_EH_FRAME_HDR\r\n_GLOBAL_OFFSET_TABLE_\r\n__libc_start_main@GLIBC_2.34\r\n_ITM_deregisterTMCloneTable\r\nputs@GLIBC_2.2.5\r\nstdin@GLIBC_2.2.5\r\n_edata\r\n_fini\r\n__stack_chk_fail@GLIBC_2.4\r\nstrchr@GLIBC_2.2.5\r\nprintf@GLIBC_2.2.5\r\nparts\r\nfgets@GLIBC_2.2.5\r\n__data_start\r\nstrcmp@GLIBC_2.2.5\r\n__gmon_start__\r\n__dso_handle\r\n_IO_stdin_used\r\n_end\r\n__bss_start\r\nmain\r\n__TMC_END__\r\n_ITM_registerTMCloneTable\r\n__cxa_finalize@GLIBC_2.2.5\r\n_init\r\n.symtab\r\n.strtab\r\n.shstrtab\r\n.interp\r\n.note.gnu.property\r\n.note.gnu.build-id\r\n.note.ABI-tag\r\n.gnu.hash\r\n.dynsym\r\n.dynstr\r\n.gnu.version\r\n.gnu.version_r\r\n.rela.dyn\r\n.rela.plt\r\n.init\r\n.text\r\n.fini\r\n.rodata\r\n.eh_frame_hdr\r\n.eh_frame\r\n.init_array\r\n.fini_array\r\n.dynamic\r\n.got\r\n.got.plt\r\n.data\r\n.bss\r\n.comment\r\n<\/pre>\n
    Anything look good in there?  Absolutely!  Between the string requesting the password and the string welcoming you in is this gem, “s3cr3t_p455_f0r_gh05t5_4nd_gh0ul5”.  Let’s see if it works.<\/p>\n
    \r\n(kali@vici)-[~\/htb\/spookypass\/rev_spookypass]\r\n$ .\/pass \r\nWelcome to the SPOOKIEST party of the year.\r\nBefore we let you in, you'll need to give us the password: s3cr3t_p455_f0r_gh05t5_4nd_gh0ul5\r\nWelcome inside!\r\nHTB{un0bfu5c4t3d_5tr1ng5}   \r\n<\/pre>\n
    And there we go.  If we put that flag in over at Hack the Box, we win.<\/p>\n
    \"Submitting<\/p>\n
    \"SpookyPass<\/p>\n
    There we go!  Very Easy, as promised.  However, we did get some exposure to learning about unknown files and some very basic skills in prodding those files to see what might be hidden within them.  Any questions, let me know in the comments!<\/p>\n","protected":false},"excerpt":{"rendered":"
    Today’s challenge is a very easy challenge from Hack the Box. You can find it here. There is no machine to start up, you just download the required files for the challenge. You’ll get a …<\/p>\n","protected":false},"author":1,"featured_media":0,"comment_status":"open","ping_status":"open","sticky":false,"template":"","format":"standard","meta":{"footnotes":""},"categories":[153],"tags":[142,149],"class_list":["post-1928","post","type-post","status-publish","format-standard","hentry","category-capture-the-flag","tag-infosec","tag-offensive-security"],"_links":{"self":[{"href":"https:\/\/www.peteonsoftware.com\/index.php\/wp-json\/wp\/v2\/posts\/1928","targetHints":{"allow":["GET"]}}],"collection":[{"href":"https:\/\/www.peteonsoftware.com\/index.php\/wp-json\/wp\/v2\/posts"}],"about":[{"href":"https:\/\/www.peteonsoftware.com\/index.php\/wp-json\/wp\/v2\/types\/post"}],"author":[{"embeddable":true,"href":"https:\/\/www.peteonsoftware.com\/index.php\/wp-json\/wp\/v2\/users\/1"}],"replies":[{"embeddable":true,"href":"https:\/\/www.peteonsoftware.com\/index.php\/wp-json\/wp\/v2\/comments?post=1928"}],"version-history":[{"count":0,"href":"https:\/\/www.peteonsoftware.com\/index.php\/wp-json\/wp\/v2\/posts\/1928\/revisions"}],"wp:attachment":[{"href":"https:\/\/www.peteonsoftware.com\/index.php\/wp-json\/wp\/v2\/media?parent=1928"}],"wp:term":[{"taxonomy":"category","embeddable":true,"href":"https:\/\/www.peteonsoftware.com\/index.php\/wp-json\/wp\/v2\/categories?post=1928"},{"taxonomy":"post_tag","embeddable":true,"href":"https:\/\/www.peteonsoftware.com\/index.php\/wp-json\/wp\/v2\/tags?post=1928"}],"curies":[{"name":"wp","href":"https:\/\/api.w.org\/{rel}","templated":true}]}}