picoCTF Solutions
Beginner picoMini 2022General SkillsEasy

PW Crack 1

Published: April 2, 2026

Description

Find the password to decrypt the flag. It's hardcoded in the script in plaintext.

Setup

Download level1.py and level1.flag.txt.enc from the challenge page.

Solution

  1. Step 1Read the source code
    Open level1.py in a text editor. Find the password comparison -- it is stored as a plaintext string literal: if user_pw == "691d". The password is 691d.
    Learn more

    Source code review is one of the most powerful techniques in CTF and real-world security assessments. When you have access to the code that protects a secret, reading it directly is always faster and more reliable than guessing or brute-forcing. This is exactly why open-source software still undergoes security audits -- readable code can be reviewed for flaws.

    A hardcoded password is a credential embedded directly in source code as a string literal. This is a critical security flaw: anyone who can read the source -- including developers, contractors, version control systems, and anyone who gains repository access -- immediately has the password. It also means changing the password requires redeploying the application.

    Real-world hardcoded credentials in source code are shockingly common. Security researchers regularly find API keys, database passwords, and admin credentials committed to public GitHub repositories. Tools like trufflehog and git-secrets exist specifically to scan repositories for accidentally committed secrets.

  2. Step 2Run the script and enter the password
    Execute the script, enter 691d when prompted, and the flag is decrypted and printed.
    python3 level1.py
    # Enter password: 691d
    Learn more

    The script uses the password to decrypt an encrypted flag file (level1.flag.txt.enc). This demonstrates the basic pattern of password-based encryption: the password is a key, and the ciphertext is useless without it. In this challenge, the key is trivially exposed by reading the source -- in a real system, the key would be stored separately and securely.

    The correct approach for password storage in applications is to never store passwords at all -- instead, store a salted hash of the password. When a user logs in, hash what they typed and compare it to the stored hash. This way, even if the database is compromised, the original passwords are not directly exposed. The subsequent pw-crack challenges build on this concept.

Flag

picoCTF{...}

Hardcoded plaintext passwords provide zero security -- anyone who can read the source code or decompile the binary immediately has the credential.

More General Skills