picoCTF Solutions
picoGym ExclusiveReverse EngineeringMedium

Picker I

Published: March 5, 2024Updated: December 9, 2025

Description

This supposedly random-number service exposes helper functions inside its Python source. If you can trigger win(), it prints the flag instead of a number.

Setup

Remote Python serviceDownload picker-I.py

Grab the Python source so you can see helper functions like getRandomNumber() and win().

Test it locally with python3 to understand which identifiers the service accepts.

wget https://artifacts.picoctf.net/c/515/picker-I.py
python3 picker-I.py

Solution

  1. Step 1Identify callable functions
    The script reads a string and passes it into eval-style logic. Typing getRandomNumber returns 4 exactly as the code shows, so calling win should trigger the flag routine.
  2. Step 2Call win on the remote service
    Connect to the deployed instance with netcat and send win. The program prints the flag as a sequence of hex bytes instead of ASCII.
    printf "win\n" | nc saturn.picoctf.net 51291
  3. Step 3Convert from hex
    Copy the 0x-prefixed values into CyberChef (From Hex) or pipe them through xxd -r -p locally to reveal the picoCTF flag.

Flag

picoCTF{4_d14m0nd_1n_7h3_r0u...5d5b}

The remote program never validates user input beyond evaluating tokens, so calling win outputs the flag immediately.