Introduction

The “SpookyPass” challenge from Hack The Box’s Hack The Boo 2024 event is a reverse engineering task categorized as very easy. You are provided with an executable that prompts for a password. The objective is to analyze the program to determine the correct password and gain access.

OSCP Study Notes

HackTheBox Certified Penetration Testing Specialist Study Notes

HackTheBox Spookypass Challenge Description

All the coolest ghosts in town are going to a Haunted Houseparty – can you prove you deserve to get in?

Reverse Engineering & Using Strings Tool

This challenge is designed to test basic reverse engineering skills, such as examining strings within the binary and understanding simple password validation mechanisms. It serves as an introductory exercise for those new to reverse engineering challenges.

When you execute the provided binary, it displays a prompt asking for a password. The goal is to analyze the program to uncover the correct password. This typically involves techniques like inspecting the binary for hardcoded strings, analyzing the program’s logic using tools like Ghidra or IDA, or debugging the executable to trace its behavior. The challenge is designed to be straightforward, making it a great starting point for those learning reverse engineering.

Welcome to the SPOOKIEST party of the year.
Before we let you in, you'll need to give us the password: foo
You're not a real ghost; clear off!

Using the strings command, we can extract printable text from the binary. This method is often helpful for finding hidden data such as hardcoded passwords, error messages, or other clues embedded within the program. Running strings on the binary might reveal potential hints or even the password itself, as simpler challenges sometimes store it in plain text for educational purposes. If no direct clue appears, we can proceed with more advanced analysis, such as disassembling the binary.

$ strings ./pass
# .. SNIP ..
Welcome to the 
[1;3mSPOOKIEST
[0m party of the year.
Before we let you in, you'll need to give us the password: 
s3cr3t_p455_f0r_gh05t5_4nd_gh0ul5
Welcome inside!
You're not a real ghost; clear off!
# .. SNIP ..

If you input the password s3cr3t_p455_f0r_gh05t5_4nd_gh0ul5 into the binary, it validates successfully, and you are rewarded with the flag. This indicates that the binary’s logic confirms the entered password against this string, likely as part of its internal validation mechanism. Congratulations on solving the challenge! 🎉

You can also watch:

, ,
Show Comments

MasterMind Study Notes

About the Author

Mastermind Study Notes is a group of talented authors and writers who are experienced and well-versed across different fields. The group is led by, Motasem Hamdan, who is a Cybersecurity content creator and YouTuber.

View Articles