reversefreehard

Maze Challenge Scenario

hackthebox

Task: a PyInstaller-packed Windows binary leads to a password-protected ZIP and a deliberately corrupted ELF checker. Solution: recover embedded Python secrets, derive the PNG-based hint, repair every-10th-byte corruption, and solve the final rolling-sum constraints.

$ ls tags/ techniques/
pyinstallerpython_bytecodeelfconstraint_solvingzip_passwordbinary_corruptionrolling_sumpng_seed
pyc_disassemblypyinstaller_unpackinghardcoded_secret_recoveryfile_corruption_repairconstraint_solver_modeling

$ cat /etc/rate-limit

Rate limit reached (20 reads/hour per IP). Showing preview only — full content returns at the next hour roll-over.

Maze Challenge Scenario — HackTheBox

Description

Provided files: maze.png, enc_maze.zip, and maze.exe.

English summary: The challenge starts from a PyInstaller-packed Windows executable and leads through several nested stages. The goal is to recover hidden secrets, unpack the protected archive, repair the corrupted Linux checker, and solve its final validation routine.

Challenge overview

This was a staged reverse engineering challenge:

  1. Reverse the PyInstaller-packed maze.exe.
  2. Recover the first required path string and the ZIP password from embedded Python bytecode.
  3. Extract the inner file maze from enc_maze.zip.
  4. Understand why the ELF-like binary is corrupted and repair enough code/data to analyze it.
  5. Reconstruct the checker and solve the final constraints to obtain the flag.

Initial file triage and observations

The downloaded archive contained:

  • rev_maze/maze.png
  • rev_maze/enc_maze.zip
  • rev_maze/maze.exe

Quick triage showed that maze.exe was a Windows PE produced with PyInstaller. That immediately suggested two useful directions:

  • unpack the bundled Python application,
  • inspect the embedded .pyc modules instead of treating the PE as a normal native crackme.

The nested enc_maze.zip indicated a multi-stage design, and the presence of maze.png hinted that image data might later be reused as part of a key or seed derivation step.

PyInstaller unpacking and Python bytecode recovery

The executable was unpacked as a PyInstaller archive and the bundled Python bytecode was extracted from the embedded PYZ. Disassembly/decompilation of the recovered modules exposed the real control flow.

Important recovered modules included:

  • the main maze logic,
  • obf_path,
  • additional obfuscated helper code inside the embedded archive.

This stage converted the challenge from “reverse a packed PE” into “read Python logic and recover staged constants.” That was the first big simplification.

Recovery of the hardcoded path string and ZIP password

...