endianness picoCTF 2024 Solution

Published: April 3, 2024

Description

Know of little and big endian?

Download the source code to understand the challenge.

Connect to the remote service and have a hex converter ready (CyberChef, python, etc.).

bash
nc titan.picoctf.net <PORT_FROM_INSTANCE>

Solution

Want to try it yourself first?

The guided walkthrough reveals hints one step at a time.

Walk me through it
This is a warm-up endianness challenge. Once you understand basic little-endian conversion here, advance to endianness-v2 for a more complex forensics application involving image file recovery.
  1. Step 1
    Capture the word and convert to hex
    Observation
    I noticed the server sends a plaintext word and later expects raw hex digits, which suggested the first step is mapping each character to its ASCII byte value before any endianness transformation can be applied.
    The server prints a word (e.g., ffoxf). Convert each character to its ASCII hex value to get 66 66 6f 78 66.
    Learn more

    Each character maps to its ASCII hex value. ASCII is a 7-bit encoding where printable characters start at 0x20 (space) and run through 0x7E (~). You can look them up with man ascii or use Python: hex(ord('f')) returns 0x66.

    Worked example for ffoxf: ord('f') = 0x66, ord('o') = 0x6f, ord('x') = 0x78. So the byte array is [0x66, 0x66, 0x6f, 0x78, 0x66].

    The server is essentially asking: if you stored this 5-character string in memory as a series of bytes, what bytes would you see, and in what order? To answer, you first need the ASCII byte values.

  2. Step 2
    Submit little-endian representation
    Observation
    I noticed the server explicitly asks for little-endian first, and since x86 systems store the least significant byte at the lowest address, this meant reversing the byte order of the ASCII hex sequence before submitting.
    Reverse the byte order: 66 66 6f 78 66 becomes 66 78 6f 66 66. Submit without spaces or 0x prefix.
    bash
    66786f6666
    What didn't work first

    Tried: Submit the bytes in their original left-to-right order (66666f7866) for the little-endian answer

    That is big-endian order, not little-endian. Little-endian reverses the byte sequence so the last byte comes first. Submitting the natural order here will be accepted only for the big-endian prompt that comes next, not the little-endian one.

    Tried: Include spaces or 0x prefixes in the submission (e.g., 66 78 6f 66 66 or 0x66786f6666)

    The server does an exact string match against the raw hex digits. Spaces and 0x prefixes cause the match to fail and the server reports a wrong answer. Strip all formatting and submit only the lowercase hex digits in one continuous string.

    Learn more

    Little endian means the least significant byte is stored first (at the lowest memory address). x86 and ARM (in most modes) use little-endian. So 0x12345678 is stored as 78 56 34 12. Reversing the byte array of the ASCII characters gives the little-endian representation.

  3. Step 3
    Submit big-endian representation
    Observation
    I noticed the server prompts for big-endian after accepting little-endian, and since big-endian stores the most significant byte first, it matches the natural left-to-right ASCII byte order already computed in step one.
    The big-endian representation is the bytes in their original left-to-right order: 66 66 6f 78 66. Submit without spaces or 0x prefix.
    bash
    66666f7866
    What didn't work first

    Tried: Reuse the reversed (little-endian) byte sequence (66786f6666) for the big-endian prompt as well

    The server prompts for big-endian separately after accepting the little-endian answer. Big-endian is the original left-to-right byte order, not the reversed one. Submitting the reversed bytes again produces a wrong-answer response on the second prompt.

    Tried: Convert the word using UTF-16 or Unicode code points instead of ASCII byte values

    UTF-16 encodes most ASCII characters as two bytes (e.g., 'f' becomes 0x0066 in UTF-16BE), which doubles the byte count and changes the hex string entirely. The server expects single-byte ASCII values, so a UTF-16 submission will never match the expected hex string.

    Learn more

    Big endian means the most significant byte comes first, which matches the natural left-to-right reading order of a number. Network protocols (TCP/IP) use big endian, which is why it is also called network byte order. For the ASCII bytes of a word, big endian is simply the characters in their original order.

    The server asks for both representations in sequence. After getting both correct it prints the flag. Use an ASCII table or Python to convert each character, then submit the bytes reversed (little-endian) and in order (big-endian).

    See the CTF encodings guide for ASCII-to-hex flows and the hex dumps guide for spotting byte order in raw output.

Interactive tools
  • Number Base ConverterConvert numbers between binary, octal, decimal, and hexadecimal instantly. Enter any value and see all four bases update in real time.

Flag

Reveal flag

picoCTF{3ndi4n_sw4p_su33ess_d58...}

After a handful of conversions the service prints the flag.

Key takeaway

Endianness is a hardware-level convention that determines which byte of a multi-byte integer sits at the lowest memory address. Little-endian (x86, ARM) stores the least significant byte first; big-endian (network protocols, some RISC architectures) stores the most significant byte first. This distinction is invisible within a single system but becomes a correctness issue whenever binary data crosses architectural boundaries, such as in network protocol parsing, file format portability, and embedded systems integration. The C standard library functions htonl and ntohl exist precisely to handle this conversion for network code, and every binary format specification must state its byte order explicitly.

Related reading

Want more picoCTF 2024 writeups?

Tools used in this challenge

Do these first

What to try next