Overview
In this reverse engineering challenge, we’re presented with a Python script that contains the “encrypted” flag.
Solutions
There are multiple ways to solve this challenge, two of which are documented below.
Decoding the Flag
In the script, we see that the flag is stored in the SECRET_FLAG variable, which has a bunch of characters in the format \x__. This is just a series of bytes. The \x in this case means we’re dealing with hexadecimal characters, which we can convert to a more…readable format.
Using a tool like CyberChef, we can copy/paste the contents of the SECRET_FLAG variable and decode from hex, giving us the following string:
TWV0YUNURntkMG43XzdydXM3X2NsMW43c193aTdoX3MzY3IzN3Nzc3Nzc3N9
Huh. That doesn’t look like a flag, so what’s going on? Let’s look back at the script. After we enter our input and it’s checked against the hashed password, one of two things will happen – the flag will be decoded if our password is correct, or we’ll be told our password is incorrect. The important thing to pay attention to here is how the flag is decoded if we’re correct – specifically, the code fragment b64decode(SECRET_FLAG).decode(). The b64decode function within the base64 module is used to decode Base64 strings, which we can assume our secret flag is in the form of. Luckily for us, CyberChef can decode Base64 strings too, so let’s try it!
After using the “From Base64” recipe in CyberChef on the string we got earlier, we get the flag:
MetaCTF{d0n7_7rus7_cl1n7s_wi7h_s3cr37sssssss}
Modifying the Check
This solution involves modifying the source code of the script. We see that after entering our input, it’s checked against the hashed password using the check_password function, and the result of that is used to determine whether we get the flag or not.
If we tweak the code a little, say, by changing the line if check_password(inp) to if not check_password(inp), we end up changing the logic of the script to run whatever’s below that line if our password does not match the hashed one, which in this case would be decoding the flag and printing it. After running the script and entering a random password, we get the following output, which includes the decoded flag:
Well done, your flag isssssss MetaCTF{d0n7_7rus7_cl1n7s_wi7h_s3cr37sssssss}