Description
lyric-reader.py prints verses and a refrain but never displays the secret intro that holds the flag. Use the CROWD prompt to inject a `RETURN 0` directive and jump to the hidden lines.
Read the script to understand that CROWD lines accept user input, which is then split on semicolons and interpreted as additional instructions.
Connect to the remote service (or run the script locally) and wait for the first CROWD prompt.
nc verbal-sleep.picoctf.net 56688
;RETURN 0
Solution
- Step 1Leverage CROWD inputWhen prompted with `Crowd:`, enter a string that includes `;RETURN 0`. Because the interpreter splits on semicolons, the injected `RETURN 0` will set `lip` to 0 (the top of the song).
- Step 2Reveal the secret introJumping to line 0 prints `secret_intro`, which concatenates the flag. Let the script continue and read the picoCTF string.
Flag
picoCTF{70637h3r_f0r3v3r_750...}
Any input containing `;RETURN 0` works because the preceding characters are ignored.