PW Crack 1 Beginner picoMini 2022 Solution

Published: April 2, 2026

Description

Find the password to decrypt the flag. It's hardcoded in the script in plaintext.

Download level1.py and level1.flag.txt.enc from the challenge page.

Solution

Want to try it yourself first?

The guided walkthrough reveals hints one step at a time.

Walk me through it
  1. Step 1
    Read the source code
    Observation
    The challenge description explicitly states the password is hardcoded in the script in plaintext, which meant opening level1.py and scanning for a string comparison would reveal the credential directly without any guessing.
    Open level1.py in a text editor. Find the password comparison - it is stored as a plaintext string literal: if user_pw == "691d". The password is 691d.
    Learn more

    Source code review is one of the most powerful techniques in CTF and real-world security assessments. When you have access to the code that protects a secret, reading it directly is always faster and more reliable than guessing or brute-forcing. This is exactly why open-source software still undergoes security audits - readable code can be reviewed for flaws.

    A hardcoded password is a credential embedded directly in source code as a string literal. This is a critical security flaw: anyone who can read the source - including developers, contractors, version control systems, and anyone who gains repository access - immediately has the password. It also means changing the password requires redeploying the application.

    Real-world hardcoded credentials in source code are shockingly common. Security researchers regularly find API keys, database passwords, and admin credentials committed to public GitHub repositories. Tools like trufflehog and git-secrets exist specifically to scan repositories for accidentally committed secrets.

  2. Step 2
    Run the script and enter the password
    Observation
    Having found the hardcoded password '691d' in level1.py, I noticed the script is the only way to invoke the custom decryption logic for level1.flag.txt.enc, so running it and supplying the password was the natural final step.
    Execute the script, enter 691d when prompted, and the flag is decrypted and printed.
    python
    python3 level1.py
    bash
    # Enter password: 691d

    Expected output

    picoCTF{...}
    What didn't work first

    Tried: Try to decrypt level1.flag.txt.enc directly with openssl or a hex editor without running the script.

    The file is encrypted with a custom scheme inside level1.py, not a standard openssl cipher format. Opening it in a hex editor shows scrambled bytes with no recognizable header, and openssl enc will error on the format. The only correct decryption path is to run level1.py itself, which contains the matching decryption logic.

    Tried: Run python3 level1.py and guess a common password like 'password' or '1234' instead of reading the source.

    The script compares your input against the exact hardcoded string '691d' and exits without printing the flag if they don't match. Common passwords won't work because the developer chose an arbitrary short hex-looking string, not a dictionary word. Reading the source directly gives the answer without any guessing.

    Learn more

    The script uses the password to decrypt an encrypted flag file (level1.flag.txt.enc). This demonstrates the basic pattern of password-based encryption: the password is a key, and the ciphertext is useless without it. In this challenge, the key is trivially exposed by reading the source - in a real system, the key would be stored separately and securely.

    The correct approach for password storage in applications is to never store passwords at all - instead, store a salted hash of the password. When a user logs in, hash what they typed and compare it to the stored hash. This way, even if the database is compromised, the original passwords are not directly exposed. The subsequent pw-crack challenges build on this concept.

Interactive tools
  • Strings ExtractorPull printable text from any binary, library, or image. ASCII and UTF-16 detection, configurable minimum length, flag-like highlight, no command line needed.
  • Hex ViewerView text or raw hex bytes as a xxd-style hex dump with byte offset, hex columns, and ASCII sidebar. Highlights printable characters and null bytes.
  • Hash IdentifierIdentify unknown hash types by length and prefix. Covers MD5, SHA-1, SHA-256, SHA-512, bcrypt, NTLM, and more.

Flag

Reveal flag

picoCTF{545h_r1ng1ng_...}

Hardcoded plaintext passwords provide zero security - anyone who can read the source code or decompile the binary immediately has the credential.

Key takeaway

Hardcoded credentials are one of the most pervasive real-world vulnerabilities, appearing in production codebases, IoT firmware, and cloud infrastructure scripts. The fundamental mistake is conflating code distribution with secret distribution: every person or system that receives the code also receives the secret. Secrets belong in environment variables, secret managers, or hardware security modules, never in source files that travel with the application.

Related reading

Want more Beginner picoMini 2022 writeups?

Useful tools for General Skills

What to try next