PicoCTF 2025 – Flag_hunters Write-Up
Challenge Overview
In this FlagHunters challenge, we were given a source code that resembled a server program displaying lyrics in order. However, the flag was hidden before the lyrics started displaying, and we needed to find a way to read it. Let’s break down how I approached solving this challenge.
Downloading and Inspecting the Source Code
As always, I started by downloading the challenge files:
After extracting the files, I found a server-like Python script that seemed to display lyrics in sequence.
Upon analyzing the code, I noticed a key observation:
- The flag is stored at the beginning of the output, but it is not shown directly.
- We need to find a way to read it before the lyrics start displaying.
Understanding Key Parts of the Code
The challenge included this interesting line of code:
for line in song_lines[lip].split(';'):
What Does This Do?
song_lines[lip] extracts a specific line from the lyrics list.
.split(';') splits that line into separate parts wherever the semicolon (;) appears.
This means that if we inject something like ;RETURN 0; into the input, the program will treat it as part of the lyrics processing logic, potentially letting us manipulate its behavior.
Another crucial line of code was:
re.match(r"RETURN [0-9]+", line)
What Does This Do?
The regular expression (regex) r"RETURN [0-9]+" matches any string that starts with "RETURN" followed by a number
The program checks if a line contains this pattern.
If it finds "RETURN 0", it may cause the program to return early, potentially revealing the hidden flag before the lyrics appear.
Exploiting the Server with Code Injection
Now that we understood how the program processes lyrics, it was time to exploit it by injecting our own input.
We connected to the server using the given netcat command:
Since we knew that the lyrics accepted user input, we injected a payload to force the program to return before displaying the lyrics and reveal the flag.
After running our payload, the server stopped displaying the lyrics and instead revealed:
Mission accomplished! 🚀