picoCTF Solutions
picoGym ExclusiveReverse EngineeringMedium

Picker III

Published: March 5, 2024Updated: December 9, 2025

Description

Picker III adds a primitive menu with helper functions for reading and writing names. Overwrite getRandomNumber with win so option 4 triggers the flag routine.

Setup

Menu-driven exploitDownload picker-III.py

Run the script locally and issue the help command to list the numbered actions.

Identify option 3 (write_variable) and option 4 (get_flag). Overwriting getRandomNumber with win unlocks the final option.

wget https://artifacts.picoctf.net/c/526/picker-III.py
python3 picker-III.py

Solution

  1. Step 1Use write_variable
    Choose menu item 3. When prompted for the variable name, enter getRandomNumber and when prompted for the new value, enter win. This hijacks the pointer used by option 4.
  2. Step 2Trigger the modified function
    Back in the main menu pick option 4. Because getRandomNumber now resolves to win, the service prints the flag (again as a stream of hex bytes).
    nc saturn.picoctf.net 49706
  3. Step 3Decode the hex output
    Paste the 0x-prefixed values into CyberChef (From Hex) or use xxd -r to turn them into ASCII. The decoded string is the final flag.

Flag

picoCTF{7h15_15_wh47_w3_g37_w17h_u53r5_1n_ch4...dd285}

Once getRandomNumber points at win, every subsequent run leaks the same hex-encoded flag.