PlaidCTF 2019

Can You Guess Me

Given the following application:

from secret import secret_value_for_password, flag, exec

...

val= 0
inp = input("Input value: ")
count_digits = len(set(inp))
if count_digits <= 10:          # Make sure it is a number
    val = eval(inp)
else:
    raise

if val == secret_value_for_password:
    print(flag)
else:
    print("Nope. Better luck next time.")

So this means you have to golf some variant of print(flag) (which is 11 characters) to get the flag.

Taking a look at the built-in functions, I come across the help(...) function. While the help menu itself does not provide any relevant functionality, this part is interesting: "If the argument is a string, then the string is looked up as the name of a module, function, class, method, keyword, or documentation topic, and a help page is printed on the console."

What happens if I execute help(flag)?

justin@kali:~/plaidctf2019$ nc canyouguessme.pwni.ng 12349


  ____         __   __           ____                     __  __
 / ___|__ _ _ _\ \ / /__  _   _ / ___|_   _  ___  ___ ___|  \/  | ___
| |   / _` | '_ \ V / _ \| | | | |  _| | | |/ _ \/ __/ __| |\/| |/ _ \
| |__| (_| | | | | | (_) | |_| | |_| | |_| |  __/\__ \__ \ |  | |  __/
 \____\__,_|_| |_|_|\___/ \__,_|\____|\__,_|\___||___/___/_|  |_|\___|



Input value: help(flag)
No Python documentation found for 'PCTF{hmm_so_you_were_Able_2_g0lf_it_down?_Here_have_a_flag}'.
Use help() to get the interactive help utility.
Use help(str) for help on the str class.

Nope. Better luck next time.