picoCTF Solutions
picoCTF 2026General SkillsEasy

bytemancy 1 picoCTF 2026 Solution

Published: March 20, 2026

Description

Can you conjure the right bytes? Download app.py and recover the exact input the server expects.

Setup

Download app.py

Download and read app.py to understand what byte sequence the server expects.

Launch the challenge instance and connect via netcat.

bash
cat app.py

Solution

Walk me through it
  1. Step 1Read the source code
    Open app.py. The check is literally expected = 'e' * 1751, so 1751 isn't arbitrary, it's the source. ASCII 101 = 'e'. See Python for CTF for payload-shaping idioms.
    bash
    cat app.py
    bash
    grep 'expected' app.py   # confirms 'e' * 1751
    python
    python3 -c 'print(len("e"*1751))'  # sanity: 1751
    Learn more

    The step from 3 repetitions (bytemancy-0) to 1751 repetitions (bytemancy-1) is designed to rule out manual typing. You cannot reasonably type 1751 'e' characters by hand, so the challenge forces you to use a script or shell one-liner to generate the payload programmatically. This is a key lesson: automation is a core CTF skill.

    Python string multiplication ('e' * 1751) creates a string of exactly 1751 'e' characters in a single expression. The same works for byte strings: b'e' * 1751. This technique extends to generating padding bytes (b'\x00' * 64), creating cyclic patterns, and building exploit payloads where length matters precisely.

    The python3 -c flag runs a single Python expression from the command line, making it ideal for quick payload generation. Combined with shell pipes (|) and netcat, you get a complete one-liner exploit. For more complex interactions, pwntools' remote() class handles the full connection lifecycle including reading responses and sending multiple payloads.

  2. Step 2Send the payload
    Generate 1751 es and send. Note the s.recv(512) in the Python form is not optional, it consumes the prompt banner so the next read aligns. See netcat for CTF.
    python
    python3 -c "print('e' * 1751)" | nc <HOST> <PORT_FROM_INSTANCE>
    bash
    # Interactive variant - recv(512) syncs with the banner before sending:
    python
    python3 -c "import socket; s=socket.create_connection(('<HOST>', <PORT_FROM_INSTANCE>)); s.recv(512); s.sendall(b'e'*1751 + b'\n'); print(s.recv(512).decode())"
    Learn more

    The two approaches shown - piping through nc vs. using Python's socket module - differ in interactivity. The pipe approach is fire-and-forget: it sends the payload and displays whatever the server returns, but cannot respond to multiple prompts. The socket approach reads the banner first, then sends the payload, then reads the response - giving full control of the conversation.

    The socket module is Python's low-level network interface. socket.create_connection() is a convenience wrapper that resolves the host, creates a TCP socket, and connects - equivalent to socket.socket(AF_INET, SOCK_STREAM) followed by .connect(). For CTF use, pwntools' remote(host, port) is even more convenient and adds methods like recvuntil(), sendline(), and interactive().

    A subtle detail: the server reads input until a newline and then compares. Adding b'\n' (or using print() which adds one automatically) is important - without it, the server may block forever waiting for the line terminator. This is a common gotcha when working with line-buffered servers.

Flag

picoCTF{byt3m4ncy_1_...}

app.py asks for ASCII decimal 101 × 1751, no spaces. Send the string 'e' repeated 1751 times.

Want more picoCTF 2026 writeups?

Browse picoCTF 2026Full library

Useful tools for General Skills

Related reading

What to try next