2026-05-21 MetaCTF easy

MetaCTF - Binary Basics

revreverse-engineeringbinarystringself

A compiled ELF binary hid a hardcoded flag in its read-only data section. The strings utility extracted it without executing a single instruction.

Challenge

Platform: MetaCTF Category: Reverse Engineering

Your friend told you there is something hidden in this program. Can you find it?

Hint: “Binary” is a common term for compiled programs. How do they store hardcoded data? Are there any simple Linux tools that can help you retrieve parts of it?

Reconnaissance

Running file on the binary first to understand what we’re dealing with:

1file binary_basics
2# ELF 64-bit LSB executable, x86-64

A standard Linux ELF binary. The hint is pointing directly at hardcoded strings — data that gets compiled into the binary and sits in the executable’s .rodata section in plain text.

Exploitation

One command:

1strings binary_basics

The flag appears immediately in the output:

MetaCTF{str1ngs_ar3_th1ngs_that_m3an_th1ngs}

Immediately followed by the program taunting you:

You won't find the flag that easy!
You'll have to search a little harder if you want to find it...

The program’s runtime output tries to throw you off, but strings runs against the binary file on disk — it never executes the code.

To cut straight to it with grep:

1strings binary_basics | grep -i "metactf"

What strings Actually Does

The strings utility scans a binary file for sequences of printable ASCII characters (4+ chars by default) and prints them. Compiled programs store all sorts of readable text in the binary: error messages, prompts, version strings, URLs, and sometimes flags left by CTF authors.

The flag name is self-referential: str1ngs_ar3_th1ngs_that_m3an_th1ngs — strings are literally the things that mean things inside a binary.

Doing This on a Mac

strings ships with macOS. Open Terminal and run it directly:

1strings binary_basics
2strings binary_basics | grep -i "metactf"

For a GUI option, Binary Ninja’s free web version at binary.ninja lets you drag and drop a binary and view all strings in a searchable panel — no install needed.

Ghidra (free, from the NSA) has a dedicated “Defined Strings” window under Window → Defined Strings that does the same thing with a nicer interface. Install via Homebrew with brew install ghidra, then run it with ghidraRun (not ghidra).

Takeaways

  • strings is always the first tool to run on an unknown binary in a CTF — it costs nothing and frequently gives you the flag or useful recon.
  • Hardcoded credentials, API keys, and internal paths in production binaries are found this exact same way. This is a real-world vulnerability, not just a CTF trick.
  • The binary tried to deceive at runtime. Always distinguish between what a program does when run versus what it contains on disk.