🧠 Introduction

This is the beginning of my journey into reverse engineering and Capture The Flag (CTF) challenges. I recently completed my first challenge on PicoCTF called Flag Hunters — a cleverly designed beginner-friendly reverse engineering puzzle. In this post, I'll share how I solved it step by step, what I learned, and how it sparked my interest in cybersecurity.

None

🎯 Challenge Description

The challenge is titled Flag Hunters and belongs to the Reverse Engineering category. It gives a Python file called lyric-reader.py, along with a netcat connection to interact with a server version of the script.

Hints Provided:

  • "Is there any syntax that is ripe for subversion?"
  • "Unsanitized user input is always good, right?"

These hinted toward user input vulnerabilities and control flow manipulation — key themes in reverse engineering.

🔍 Analyzing the Code

After downloading the lyric-reader.py file, I reviewed the code and spotted something interesting:

flag = open('flag.txt', 'r').read()

The flag is loaded but never printed directly — it's hidden inside a variable called secret_intro. This intro is added to the start of a big song-like structure, and the only way to access it is through special logic using labels like [REFRAIN], RETURN, and a user prompt labeled Crowd:.

🎮 Local Testing

I created my own flag.txt with a test value:

echo "picoCTF{test_flag_123}" > flag.txt Then I added a debug line to print the flag:

print("FLAG:", flag)

This helped me understand how the control flow worked. Every time the script hit Crowd:, it allowed user input. By typing something like: RETURN 0 it would jump back to line 0 and print the hidden flag.

🌐 Netcat Interaction

Then I connected to the challenge server using:

nc verbal-sleep.picoctf.net 60492

When the script reached Crowd:, I typed:

RETURN 10

Boom! The flag appeared. 🎉

🧠 What I Learned

  • How unsanitized input can change program behavior
  • The basics of Python control flow exploitation
  • How to use netcat and analyze Python-based reverse challenges
  • That reading code carefully is the most powerful skill in reverse engineering

📸 Screenshot

None

🚀 What's Next?

I've officially started my journey into reverse engineering and CTFs! I'm planning to explore more challenges and document my progress right here on Medium. Stay tuned for more writeups and tips.

🙌 Thanks for Reading!

If you're also getting started with CTFs, I'd love to connect. Let's learn and grow together in this exciting field of cybersecurity!

Let me know if you'd like:

  • Help formatting this directly on Medium
  • A shareable image upload link
  • A follow-up writeup template for your next challenge

You're off to a great start! 💻🔍🚩