Description
The provided Python script (`bloat.flag.py`) hides logic behind an array of printable characters before requesting a password to decrypt `flag.txt.enc`. Deobfuscate the script to recover the password, then run it to reveal the flag.
Setup
Download both `bloat.flag.py` and `flag.txt.enc` into the same working directory.
Read through the script to understand how the lookup table `a[...]` maps back to readable characters.
After uncovering the hard-coded password (`happychance`), run the script to decrypt the encrypted flag file.
wget https://artifacts.picoctf.net/c/103/bloat.flag.pywget https://artifacts.picoctf.net/c/103/flag.txt.encpython3 bloat.flag.pypython3 bloat.flag.py | tee output.txtsed -n '2p' output.txtSolution
- Step 1Understand the lookup tableAll strings are constructed from the array `a`, so sending the array through a Python REPL and printing the indexed characters reveals the original statements and variables.
Learn more
Code obfuscation is the deliberate process of making source code harder to read without changing its behavior. This script uses a common Python obfuscation technique: storing all string literals as indices into a single character array
a. Instead of writing"happychance"directly, the code writes something likea[7]+a[0]+a[15]+..., which produces the same string at runtime but is opaque at a glance.The fastest way to defeat this kind of obfuscation is to let Python do the work for you. Open a REPL, define the array
aexactly as it appears in the script, then print any expression you want decoded. The interpreter evaluates the indexing and shows you the plaintext result instantly - no manual decoding required.Real malware frequently uses similar tricks (character-array string building, base64-encoded payloads, eval chains) to evade static analysis tools. Understanding obfuscation patterns is valuable for both CTF and malware analysis work.
- Step 2Recover the passwordDeobfuscating the script exposes `happychance` near the top of the file. Once you know it, you can leave the script as-is and supply the password at runtime.
Learn more
Hard-coded passwords in scripts are a classic security antipattern. Even when the string is obfuscated - as it is here - an attacker who has access to the script can always recover the credential by running the code or evaluating the expression. The obfuscation provides security through obscurity at best, and no real protection.
In practice, credentials should never live in source code. Secure alternatives include environment variables, secret management services (AWS Secrets Manager, HashiCorp Vault), or prompting the user at runtime and deriving a key via a proper key derivation function (KDF) like PBKDF2 or Argon2 - not storing the password in the script at all.
- Step 3Decrypt the flagExecute `python3 bloat.flag.py`, enter `happychance`, and capture the output with `tee` or redirect to isolate the second line-which contains the picoCTF flag.
Learn more
teeis a Unix utility that reads from standard input and writes to both standard output and one or more files simultaneously. Usingpython3 bloat.flag.py | tee output.txtlets you see the output on screen in real time while also saving it for later processing - useful when a program produces multiple lines and you only need one.sed -n '2p'prints only the second line of a file (-nsuppresses default output;2pprints line 2). This is a quick way to extract a specific line without loading the entire file into memory or using a more complex tool.The broader lesson: when a script produces mixed output (prompts, decryption results, debug messages), piping through line-selection tools like
sed,awk, orgrepis faster than copying and pasting from the terminal.
Flag
picoCTF{d30bfu5c4710n_f7w_b80...}
Never run opaque scripts blindly-printing the decoded payload first keeps you safe and shows the password immediately.