LootStash Writeup - Cyber Apocalypse 2024

Last update: March 22, 2024

1 Introduction
2 Key Techniques
3 Artifacts Summary
4 Static Analysis
- 4.1 Basic file identification
- 4.2 Obtaining the flag
5 Conclusion

→ 1 Introduction

This writeup covers the LootStash Reversing challenge from the Hack The Box Cyber Apocalypse 2024 CTF, which was rated as having a ‘very easy’ difficulty. The challenge involved searching for plaintext strings in an x86-64 binary.

The description of the challenge is shown below.

→ 2 Key Techniques

The key techniques employed in this writeup are:

Using the strings command to search for strings in a binary

→ 3 Artifacts Summary

The downloaded artifact had the following hash:

$ shasum -a256 rev_lootstash.zip
17b0c167a30a51247ff901be455cd5491d58e276981707bb17231177922f7d3d  rev_lootstash.zip

The zip file contained a single file, stash:

$ unzip rev_lootstash.zip
Archive:  rev_lootstash.zip
   creating: rev_lootstash/
  inflating: rev_lootstash/stash

$ shasum -a256 rev_lootstash/*
2de89e7ea8347d190dbd9314f8a8f5680678abe03e520a530ecd87c29fb99c72  rev_lootstash/stash

→ 4 Static Analysis

→ 4.1 Basic file identification

The file command was used to identify the binary. For the purposes of the challenge, the key properties identified were:

ELF: The binary is in ELF format, commonly used on Linux systems.
x86-64: The binary is compiled for x86-64 bit machines.

$ file stash
stash: ELF 64-bit LSB pie executable, x86-64, version 1 (SYSV), dynamically linked, interpreter /lib64/ld-linux-x86-64.so.2, BuildID[sha1]=817b1311ae44bdc6ed8a9b563159616844e59c64, for GNU/Linux 3.2.0, not stripped

→ 4.2 Obtaining the flag

The flag was trivially found by extracting strings from the binary using the strings¹ command, then using grep to filter the results for “HTB”.

$ strings stash|grep HTB
HTB{n33dl3_1n_a_l00t_stack}

→ 5 Conclusion

The flag was submitted and the challenge was marked as pwned