Glitch Cat Beginner picoMini 2022 Solution

Published: April 2, 2026

Description

Our flag printing service has glitched! Connect to the server and decode the output.

Remote

Connect with netcat to receive the glitched flag.

bash
nc saturn.picoctf.net <PORT>

Solution

Want to try it yourself first?

The guided walkthrough reveals hints one step at a time.

Walk me through it
  1. Step 1
    Connect and receive the output
    Observation
    I noticed the challenge description said the flag printing service had 'glitched' and instructed us to connect and decode the output, which suggested a raw TCP connection via netcat was the right first step to see what the service was actually sending.
    Connect with netcat. The server sends a string like: 'picoCTF{gl17ch_m3_n07_' + chr(0x61) + chr(0x34) + chr(0x39) + ... where some characters are expressed as Python chr() calls instead of literals.
    bash
    nc saturn.picoctf.net <PORT>
    What didn't work first

    Tried: Try reading the raw output as a finished flag and submit it directly.

    The server sends a Python expression like 'picoCTF{gl17ch_m3_n07_' + chr(0x61) + chr(0x34) + ..., not a completed string. Submitting that literal text fails because the portal expects the evaluated result. The chr() calls must be resolved to their character equivalents first.

    Tried: Use curl or a browser to connect to the service instead of netcat.

    The challenge endpoint is a raw TCP service, not HTTP. curl and browsers speak HTTP and will either hang or return a protocol error because there is no HTTP handshake. netcat opens a plain TCP connection and passes the raw bytes directly to your terminal, which is what this server expects.

    Learn more

    netcat (nc) is a lightweight networking utility that opens a raw TCP or UDP connection and passes data between your terminal and the remote host. It is sometimes called the "Swiss army knife of networking" because it can act as both a client and a server, making it invaluable for CTF challenge connections, port scanning, and debugging network services.

    The server here sends a Python expression rather than a plain string. This is a form of light obfuscation - the flag is technically present in the output, but not immediately human-readable because some characters are encoded as chr() calls with hexadecimal arguments. The challenge teaches you to recognize this pattern and reverse it.

    Hexadecimal arguments like 0x61 are common in low-level contexts: 0x61 is 97 in decimal, which is the ASCII code for the lowercase letter a. Understanding the relationship between hex values and ASCII characters is a core CTF skill used constantly in reverse engineering and binary exploitation.

  2. Step 2
    Evaluate the Python expression
    Observation
    I noticed the server output contained a Python expression mixing string literals with chr() calls and the + operator, which suggested feeding the entire expression into python3 -c with a print() wrapper would let the interpreter evaluate and assemble the complete flag instantly.
    Copy the full output and run it as a Python print statement. Python evaluates the chr() calls and string concatenation, assembling the complete flag.
    python
    python3 -c "print('picoCTF{...}')
    What didn't work first

    Tried: Manually look up each hex value in an ASCII table and transcribe the characters by hand.

    This works in principle but is slow and error-prone when the output has many chr() calls. More importantly, the expression is already valid Python, so feeding it directly to the interpreter is faster and eliminates transcription mistakes. The goal is to let the language runtime do the work.

    Tried: Run python3 -c with just the raw server output pasted in without wrapping it in print().

    Pasting the expression as a bare statement makes Python evaluate it but discard the result silently - nothing is printed. You need to wrap the entire expression in print() so the assembled string is written to stdout. Without print(), Python 3 does not automatically display expression values at the command line outside of the interactive REPL.

    Learn more

    chr() is Python's built-in function that converts an integer to the corresponding Unicode character. For values 0-127, Unicode matches ASCII exactly, so chr(0x61) returns 'a', chr(0x7d) returns '', and so on. Its inverse is ord(), which converts a character back to its integer code point.

    The python3 -c "..." flag lets you run a Python one-liner directly from the shell without creating a file. This is extremely useful for quick calculations, decoding, and scripting during CTF challenges. The expression is evaluated exactly as if it were in a .py file.

    String concatenation with + in Python joins strings left to right. The server is effectively building the flag character by character - mixing literal substrings with chr()-encoded characters - and printing the resulting expression instead of the evaluated result. Wrapping it in print() forces Python to evaluate and display the assembled string.

Flag

Reveal flag

picoCTF{gl17ch_m3_n07_...}

chr() converts an integer to its Unicode character - the server 'obfuscates' parts of the flag by expressing them as Python chr() calls rather than literal characters, but evaluating the expression immediately reveals them.

Key takeaway

Light obfuscation replaces readable characters with equivalent expressions (chr() calls, hex escapes, base64 chunks) to slow down human readers without providing any real cryptographic protection. The correct response is always to identify the encoding or expression format and feed it to an interpreter rather than decoding by hand. This pattern appears in malware, packed JavaScript, and obfuscated shellcode, where attackers use chr(), String.fromCharCode(), or hex escapes to evade signature detection.

Related reading

Want more Beginner picoMini 2022 writeups?

Useful tools for General Skills

What to try next