Find The Secret Flag



  • I've got it. My mistake (as usual).

    Cheers and happy new years. \o/

    THIS IS ..... HueHueBR Team!

  • Hi guys, i'm having problems to find what this binary needs. I tried every single way I learn until now to print what it need but with no success!
    I get a hash prompted on CLI (gdb) but could't use it.
    I couldn't find what to insert on /tmp/secret.
    Could someone please help me (probably more like guiding through) solve this challenge.
    Any help will be welcome.

    Thanks in advance!

  • I got the names of the two creators of this challenge, but I wasted 4 hours of my life not being able to understand what the flag is supposed to be. I tried EVERYTHING. I tried to enter the flag alone, to enter it as a hex and even to enter different combinations by excluding characters off the flag. Can someone help me understand what the hell the creators of this so called "challenge" are thinking ?


  • No need gdb for this challenge. ptrace is enough.


  • @tabacci said:
    No need gdb for this challenge. ptrace is enough.

    Could you please guide me through? I already tryed everything I knew and I jusnt cant pass through this one!! :(
    Thanks in advance!

  • edited January 2019

    Hmmm seems to me like the number which is provided as input must be brute forced, the file has to be create and the *** placed in it...Is there a way to solve without brute force ? Please PM me if I am wrong, will save me hours of life.

    EDIT: Weird, the hidden function returns crap...however if I run the weird string in that function through the xor brute on cyberchef it gets this out of it:

    Key = 78: DECODER$.STEFANO...$...$.]r

    But this is not accepted as a flag...can someone pm me ? getting angry at this point...

  • You are right. But the binary should be patched in two places.
    You can skip the first patch by actions you described, but the second patch to hidden function is necessary.
    Then run with different args bruting it slightly and wait the flag.


  • Guys! sorry to ruin the party! but I am not even able to execute the file. This file runs and doesn't give me CLI interface to type anything... anyone encountered same issue?

  • Hints
    1. It works. You just have to figure out how to make it progress. (Needs something to be somewhere)

    2. If you don't like shortcuts, you need to patch the binary. Utilize everything, leave no function behind!

    3. Cyber chef makes a delicious xor cake.

    4. You can skip 1&2 if shortcuts are your thing.

    Thanks to the creators for this challenge!


  • Hi guys, I seem to be stuck too. I managed to brute force the number for the parameter. I also managed to get the "hit any key" part through patching. But the string I'm getting looks useless, even after I tried putting it in cyberchef. Any help would be appreciated.

  • Thanks to a particular three letter agency and their new tool I was able to do everything I needed for this for free.

    Learned so much about reversing and the tool from this challenge. Great start to Linux reverse engineering.

    Happy to provide pointers through DM

  • Can someone help me with this? The binary doesn't print anything when I run it :)

  • I finally managed to get the Flag after analysing the asm-code for couple of hours. G***** from the N, * and * was very helpful. I learned a lot about reversing in this challenge. I managed to solve this challenge without patching the application, but I would like to talk about other solutions. Can anyone who solved it by patching the application drop me a DM?! Thanks a lot !
    Happy to provide hints through DM.

    Hack The Box

  • I got the creator name but i cant verify it, anyone can PM to help me pls :(

  • I feel like I'm close but not quite there yet...

    I found the XOR key, and can get the program to spit out some hex that translates to some readable ASCII text. However, continuing from there just causes the program to exit.

    I then tried forcing the program to execute a function that seemed to never be called by changing RIP to the secret function address. I can get to the application saying "--hit any key", but then after that, it just exits normally with no more data seeming to be provided to me. Not sure what the do next.

    Anyone able to send me a nudge would be greatly appreciated.

  • @i4n said:

    Anyone have any suggestions for this one? Most seem to be stuck at the same spot and have found a way to either print the "--hit any key" or "are you sure its the right one". I can't seem to figure out exactly what's going on with this. I know you can change the input in a couple ways and redirect to other functions but haven't come up with anything that produces the flag

    Nice comment, also this was not so difficult as snake for example. I did it just with static analysis.

  • edited June 2019

    Is it expected for the binary not to work properly?
    When using a debugger (let's say GDB), and stepping in, I get this message:

    "_IO_new_fopen (filename=0x400c76 "/DIR/FILENAME", mode=0x400c73 "rb") at iofopen.c:88
    88 iofopen.c: No such file or directory."

    p.s. Of course the file in the expected location :)

  • just solved. i spent 6 hours :smiley: . Some tips: 1. radare2 use "aaaa", find main and calls from main. 2. search for strings. 3. think about some strings (string) u found, where they are called from? good look, and try harder.
    Ty, @BananaPr1nc3, your comment is pretty helpfull! :)

  • Is correct add a function to call the piece of the code where there is the string "--hit any key" ? I had a lot of output string but the converted hex and xor doesn't really mean nothing. I saw the strings inside the binary but no one captured my attention. Some helps

  • edited August 2019

    Type your comment> @Arkango said:

    Is correct add a function to call the piece of the code where there is the string "--hit any key" ? I had a lot of output string but the converted hex and xor doesn't really mean nothing. I saw the strings inside the binary but no one captured my attention. Some helps

    You are on the correct path. When your program prints "useless" stuff, try to backtrack where your operands come from and ask yourself if that makes any sense. At multiple points in the binary, things remain unused which should be used. Radare2 hints at what you could try, can't tell how it looks like in other disassemblers.

    Press F to give respect

  • edited August 2019

    Hint: Find the right byte and profit. No reversing required. Having said that, I did spent time reversing to arrive at this hint. :smile:

    My write-ups of retired machines | Discord - limbernie#0386

  • This challenge made me want to end it all... And nobody in this thread mentions the issue that confused me the most.

    If you get the string with the names of the creators but with a bunch of "unwanted" characters, then do some research about the bell character.

    Alternatively, you do not need to know anything about what I mentioned above if you just patch the binary in the right places which, in my opinion, is a bit painful to work out.

  • new to HTB (and infosec in general), took me a full day!
    boy that was challenging, but i learned alot from it.
    i made it with 2 binary patches, as well as python script (that did more than just the filecheck).

    1. strings- take a close look at them. to which function each string belongs to?
    2. the program has few requirements to run properly. find those in the code
    3. identify the important zone that needs to run, as well as its required registers values.

  • edited October 2019

    Hello everyone, I'm a beginner. can someone help me ? .
    I already found the hidden function , but I didn't understand the input meaning of the main function,
    if the file creation is necessary in the future of the program for the state of the variables ,
    and the xor printed how to reverse it

  • edited October 2019

    @ydrah i think you finished this challenge already i'm stuck on the hidden function to get the flag can you PM me or if someone can, please?

  • Solved this just by looking at the disassembled code, no debugger necessary (though it'd help I guess). Found the function and quickly brute forced the key with cyberchef. I feel this one was easier than "Debug Me".

  • I was wondering why I can't debug this, and now I think it might be stripped.
    Even with that knowledge, still not getting very far!

  • Finally got it! Took over a week, and a little help. This may the most difficult challenge I've ever completed on HTB. I've done a couple reversing challenges with higher difficulty ratings (e.g. cake); but for me they were easier. I think it might be because I have an easier time when I can use graphical debuggers.

  • Done, take care when you let IDA to propose you a decoded string
    eg. db "xyz" look at the hexadecimal, it will avoid me to spend time to search for some string characters

Sign In to comment.