picoCTF Solutions
picoCTF 2021General SkillsMedium

Python Wrangling picoCTF 2021 Solution

Published: April 2, 2026

Description

Python scripts are invoked kind of like programs in the terminal. Download and use the provided python script, password file, and encrypted flag.

Setup

Download ende.py, pw.txt, and flag.txt.en from the challenge page.

bash
wget <url>/ende.py
bash
wget <url>/pw.txt
bash
wget <url>/flag.txt.en

Solution

Walk me through it
  1. Step 1Read the password
    The decryption password is stored in pw.txt. Print it so you can supply it to the script.
    bash
    cat pw.txt
    Learn more

    Storing a password in a separate file is a common pattern in software - rather than hard-coding credentials in the main script, they're kept in a dedicated file that can be protected with file system permissions or excluded from version control. In this challenge, the password file is provided to you intentionally as part of the puzzle.

    In real applications you'd never want to store plaintext passwords in a file, but the pattern of reading configuration or secrets from a file is pervasive. Tools like .env files, secrets.json, or environment variables serve the same purpose in production code. The key is that the secret is separate from the logic that uses it.

  2. Step 2Decrypt the flag
    Run ende.py with -d. The argument convention varies; try the script's interactive prompt first, then fall back to argv or stdin redirection if it expects the password directly.
    bash
    # Most common: prompt-driven, paste the password when asked
    python
    python3 ende.py -d flag.txt.en
    bash
    bash
    # Argv-style: password as second positional argument
    python
    python3 ende.py -d flag.txt.en "$(cat pw.txt)"
    bash
    bash
    # Stdin-style: pipe the password
    python
    python3 ende.py -d flag.txt.en < pw.txt
    Learn more

    Command-line flags (like -d) are arguments passed to a program to modify its behavior. The convention of -d for "decrypt" and -e for "encrypt" is common across many cryptographic tools. Python scripts parse these using the sys.argv list or the argparse module, which provides structured argument parsing with help text and type checking.

    The .en file extension likely stands for "encrypted" - a naming convention to distinguish encrypted files from their plaintext originals. The underlying cipher is almost always Fernet (AES-128-CBC + HMAC-SHA256 from the cryptography package), which is the canonical symmetric encryption primitive in modern Python. Since the password is given, no cracking is needed; this challenge is purely about reading the script and supplying its argument convention.

    Running Python scripts: python3 script.py invokes the Python 3 interpreter on script.py. The distinction between python and python3 matters on systems where Python 2 is still the default (older Linux distros). In CTF environments, always check python3 --version first. You can also make scripts directly executable with chmod +x ende.py and then run ./ende.py -d flag.txt.en if the script has a shebang line (#!/usr/bin/env python3).

Flag

picoCTF{...}

The -d flag means decrypt; the password from pw.txt is the decryption key.

Want more picoCTF 2021 writeups?

Browse picoCTF 2021Full library

Useful tools for General Skills

Related reading

What to try next