LootStash

HackTheBox

The task provides a zip archive with a single file `stash` — an ELF binary containing hundreds of decoy strings. The goal is to find the flag among the "junk" data.

grep static_analysis elf strings plaintext_flag

strings_extractionflag_grepnoise_filtering

$ ls tags/ techniques/

grep static_analysis elf strings plaintext_flag

strings_extractionflag_grepnoise_filtering

LootStash — HackTheBox

Description

A giant stash of powerful weapons and gear have been dropped into the arena - but there's one item you have in mind. Can you filter through the stack to get to the one thing you really need?

The task provides a zip archive with a single file stash — an ELF binary containing hundreds of decoy strings. The goal is to find the flag among the "junk" data.

Analysis

File Identification

$ file stash
stash: ELF 64-bit LSB executable, x86-64, version 1 (SYSV), dynamically linked, not stripped

Standard 64-bit ELF, dynamically linked, not stripped — no signs of packing or obfuscation.

String Examination

$ strings stash | head -30
Ebony, Core of Perdition
Phantomdream, Trinket of the Corrupted
Shadowstrike, Pendant of Twilight's End
Doomhowl, Relic of the Fallen
Stormfang, Amulet of Eternal Fury
...

The binary contains hundreds of strings with fantasy weapon and gear names — this is the "loot stash". The strings appear to be decorative noise, among which the flag is hidden.

Finding the Flag

$ strings stash | grep "HTB{"
HTB{n33dl3_1n_a_l00t_stack}

The flag was found instantly — it's stored in plaintext among hundreds of decoy strings. No encryption, encoding, or obfuscation was applied.

Meaning of the Name

The flag HTB{n33dl3_1n_a_l00t_stack} is leetspeak for "needle in a loot stack", a play on the idiom "needle in a haystack". The task description directly hints at this: you need to "filter through the stack" to find the one thing you need.

Solution

Commands

# 1. Extract the archive
unzip rev_lootstash.zip

# 2. Identify the file
file stash

# 3. Find the flag
strings stash | grep "HTB{"

The solution takes one command after extraction — the classic strings | grep.

Alternative One-liner

strings stash | grep -oE "HTB\{[^}]+\}"

Lessons

Always start with strings | grep — before launching a disassembler or debugger, check if the flag is in plaintext. This takes 2 seconds and solves ~10% of reverse tasks at CTFs
The task description is a hint — "filter through the stack" directly tells you the solving technique: string filtering
The flag name confirms the method — "needle in a loot stack" = you just needed to grep the needle in the haystack

Alternative Approaches

Ghidra/IDA — you can open the binary and find the string in the .rodata section, but this is overkill for this task
hexdump / xxd — search for the hex pattern 48 54 42 7B (HTB{) in the binary file
rabin2 -z — extract strings via radare2, similar to strings

$ cat /etc/motd

Liked this one?

Pro unlocks every writeup, every flag, and API access. $9/mo.

cat pricing.md