The code is inside the binary code of this binary following this structure: Advent{code}. Good luck!
We’ll apply the ’lowest hanging fruit’ methodology, that is, testing each thing from the bottom up so that we don’t forget anything inbetween.
We run the file command to see what information we may get from the binary; it returns:
byte_per_byte: ELF 64-bit LSB pie executable, x86-64, version 1 (SYSV), dynamically linked, interpreter /lib64/ld-linux-x86-64.so.2,
BuildID[sha1]=bfca996e2b11c48694a780ff141d9b4c5dc88fdc, for GNU/Linux 3.2.0, not strippedBinary isn’t stripped (That means it has debug symbols which may come in handy if there’s any need to disassemble the file), we’ll run it to see how it behaves (./byte_per_byte):
All it does is print “Nothing to see here…” string on the screen
We run a quick hexdump on the file (hexdump -c byte_per_byte) and we discover the flag at offset 0x00003020 with 2 NULL bytes of padding inbetween ASCII characters, fixing the representation yields us the flag:
Advent{qkGGTxcRmwfDQP8ZrJQuFPIm5Jyim3pn}
A simple blog for everything me
Writeup for the first 2022's Advent of Hack CTF challenge