Overview
SpookyPass was the opposite of Callfuscated: a small, friendly reversing target where the key was not overcomplicating the solve. The binary retained useful symbols and contained the password in readable data.
Initial Triage
The target was extracted from:
Spooky.zipusing the standard HTB archive password:
hacktheboxTarget binary:
rev_spookypass/pass| Property | Value |
|---|---|
| Format | ELF 64-bit PIE executable |
| Architecture | x86-64 |
| Symbols | Not stripped |
| Primary functions | main, standard libc calls |
String triage immediately revealed a likely password:
s3cr3t_p455_f0r_gh05t5_4nd_gh0ul5Program Logic
The program logic was straightforward:
- Print a welcome prompt.
- Read user input with
fgets. - Strip the trailing newline using
strchr. - Compare the input with
strcmp. - If the password matches, reconstruct and print the flag.
- Otherwise, print a failure message.
The prompt and failure message were:
Welcome to the SPOOKIEST party of the year.
Before we let you in, you'll need to give us the password:
You're not a real ghost; clear off!Flag Reconstruction
The flag was not directly stored as one plain string. Instead, it was reconstructed from a global integer array named conceptually like parts. The array held character values:
'H','T','B','{','u','n','0','b','f','u','5','c','4',
't','3','d','_','5','t','r','1','n','g','5','}'When converted back to characters, this yields:
HTB{un0bfu5c4t3d_5tr1ng5}Verification
The recovered password was verified by running:
printf 's3cr3t_p455_f0r_gh05t5_4nd_gh0ul5
' | ./passOutput:
Welcome to the SPOOKIEST party of the year.
Before we let you in, you'll need to give us the password: Welcome inside!
HTB{un0bfu5c4t3d_5tr1ng5}Lessons Learned
- Not every reversing challenge needs heavy tooling.
- Fast triage with
strings, symbols, and basic control-flow inspection can solve simple crackmes quickly. - Even when a password is visible, verify the success path to distinguish password from final flag.