picoCTF Solutions
picoCTF 2021Binary ExploitationMedium

What's your input? picoCTF 2021 Solution

Published: April 2, 2026

Description

This program requires some tricky input. It is not a compiled binary - it is a short Python script (input.py). Read the script, see exactly what it reads and what it compares your input against, then feed it the values it wants.

Setup

Download the Python script and read it.

bash
wget https://mercury.picoctf.net/static/.../input.py
bash
cat input.py

Solution

Walk me through it
  1. Step 1Read the script - it is Python, not a binary
    Open input.py in any text editor. It reads one or more inputs (usually with input() or by reading lines from stdin) and compares each against a hardcoded expected value with ==. Note the exact strings/numbers it checks and the order it reads them, including any prompt text and whitespace handling (strip(), int(), etc.).
    bash
    cat input.py
    bash
    # Note every input() call, the variable it stores, and the value it is compared to.
    Learn more

    The challenge name is a hint: it just wants the right inputs. Because the source is plain Python, there is no reverse engineering to do - the "answer key" is written out as literals in the comparisons. Read top to bottom and list, in order, each value the script expects.

    Watch for transformations on the way in: .strip() removes surrounding whitespace, int(...) means it wants a number, and an f-string or concatenation may mean it expects a value built from earlier inputs. Match the type and format exactly.

  2. Step 2Map each input to the value it must equal
    Walk the comparisons and write down the expected value for each read, in the order the script asks for them. If a comparison is against a computed value (for example a sum, or input concatenated with a constant), satisfy that relationship rather than copying a literal.
    bash
    # Example shapes you might find in input.py:
    bash
    #   a = input('...');  assert a == 'some_string'
    bash
    #   b = int(input());  assert b == 1337
    bash
    #   if first + second == 'expected_combo': print(flag)
    Learn more

    Most variants of this challenge read a handful of values and check them with == or assert. The expected inputs are exactly the right-hand sides of those comparisons. Give the script those values, in order, and it prints the flag.

  3. Step 3Supply the inputs and read the flag
    Run the script and provide the expected values. For multiple inputs, pipe them in separated by newlines so each input() call receives the next line.
    python
    python3 input.py    # then type each expected value when prompted
    bash
    # Or feed all inputs at once (one per line):
    bash
    printf 'first_value\nsecond_value\n' | python3 input.py
    Learn more

    Piping with printf is the reliable way to satisfy several input() calls: each \n-separated line is consumed by the next read in order. Once every comparison passes, the script reaches the branch that prints the flag.

Flag

picoCTF{...}

It is a Python script (input.py), not a binary. Read the source, note the exact value each input() is compared against, and supply those values in order to reach the flag-printing branch.

Want more picoCTF 2021 writeups?

Browse picoCTF 2021Full library

Useful tools for Binary Exploitation

Related reading

What to try next