This challenge gives us a binary file to examine named findtheflag. It doesn’t have an “.exe” extension, so we can assume without any testing that this is probably a Linux program. Copy the file over to a Linux machine if you haven’t already, and let’s try running it to see what happens.

$ ./findtheflag

There is a flag hidden in this binary. Can you find it?

Very basic; it doesn’t appear to do anything besides print this message to the screen. You can try giving it arbitrary arguments, but it still just returns this message.

Before jumping into advanced reverse engineering, it’s always worth trying some basic steps first. One of those basic steps is to look at the plain text strings that are embedded in the program. When a developer hard-codes a string into their program (e.g., mystring = "hello world") that string can be found in the compiled binary file in plaintext.

To view the strings of a binary file, you can use the built-in Linux strings command. All this tool does is dig through the binary and spit out any instances where 4 or more printable characters exist back-to-back. It doesn’t check against a dictionary to know if they are actual words, so much of what is returned to you will be either garbage or irrelevant information (such as from a library).

$ strings findtheflag
/lib64/ld-linux-x86-64.so.2
libc.so.6
puts
__libc_start_main
__gmon_start__
GLIBC_2.2.5
UH-x    
fffff.
[]A\A]A^A_
flag{b760866fa6f035548be127b7525dbb66}
There is a flag hidden in this binary. Can you find it?
;*3$"
GCC: (Debian 4.9.2-10) 4.9.2
GCC: (Debian 4.8.4-1) 4.8.4
.symtab
.strtab
.shstrtab
  < clipped >

If you look through all the strings output, you’ll find the flag. Based on its position, it looks like it was set right before the program printed that message to the screen (another string). Luckily the output wasn’t too long, so it didn’t take a lot of scrolling to find, but this won’t always be the case. I recommend getting in the habit of using grep to search for what you are interested in finding. We know we’re trying to find the flag, and we know from the rules of the CTF that the flag format is flag{...}, so use grep to search for this.

$ strings findtheflag | grep flag
flag{b760866fa6f035548be127b7525dbb66}
There is a flag hidden in this binary. Can you find it?
findtheflag.c

Here the output is significantly shorter because only the strings that contained “flag” were returned to our screen, instead of all strings. The flag for this challenge is flag{b760866fa6f035548be127b7525dbb66}

Review & Lessons Learned

One of the first things you should do when analyzing an unknown binary is to run a simple strings search. This will give you clues as to what the binary does and how it behaves, and maybe even reveal sensitive information that was hardcoded into the program.