📊 Challenge Overview

Category	Details	Additional Info
🏆 Event	PicoCTF - 2025	Event Link
🔰 Category	Rev	⚙️
💎 Points	75	Out of 500 total
⭐ Difficulty	🟢 Easy	Personal Rating: 1/10
👤 Author	syreal	Profile
🎮 Solves (At the time of flag submission)	2.208	solve rate
📅 Date	14-03-2025	PicoCTF - 2025
🦾 Solved By	mH4ck3r0n3	Team:

📝 Challenge Information

Lyrics jump from verses to the refrain kind of like a subroutine call. There’s a hidden refrain this program doesn’t print by default. Can you get it to print it? There might be something in it for you. The program’s source code can be downloaded here. Connect to the program with netcat: $ nc verbal-sleep.picoctf.net 50331

🎯 Challenge Files & Infrastructure

Provided Files

Files:

•  Attached Files

🔍 Initial Analysis

First Steps

Analyzing the attached file provided, I understood that the program works like a song lyric reader and uses a logic similar to a finite state machine, with labels ([REFRAIN], [VERSE1], RETURN, etc.) to jump between parts of the song. As we can see, the variable secret_intro contains the flag:

1 2 3 4 5 6 7 8

# Read in flag from file flag = open('flag.txt', 'r').read() secret_intro = \ '''Pico warriors rising, puzzles laid bare, Solving each challenge with precision and flair. With unity and skill, flags we deliver, The ether’s ours to conquer, '''\ + flag + '\n'

The program splits each line by the ; character and executes the instructions sequentially:

1	for line in song_lines[lip].split(';'):

This allows us to add arbitrary commands within our input. When the program encounters a line matching the RETURN X syntax, it directly updates the lip variable, which controls which line of the song is read next. If we can control this variable, we can manipulate the program flow to read secret_intro:

1 2	elif re.match(r"RETURN \[0-9]+", line): lip = int(line.split()[1])

Our input is directly added to the song text:

1 2 3 4

elif re.match(r"CROWD.*", line): crowd = input('Crowd: ') song_lines[lip] = 'Crowd: ' + crowd lip += 1

When the program asks for input for “Crowd:”, whatever we enter is directly added to the song text and then executed. There is no control over what we input, which allows us to inject commands. Let’s move on to the exploitation phase.

🔬 Vulnerability Analysis

Potential Vulnerabilities

• Command Injection

🎯 Solution Path

Exploitation Steps

Initial setup

We said that the RETURN X command allows us to go back to a specific part of the song… Let’s move on to the next phase.

Exploitation

The exploitation is quite simple; in fact, we just need to insert ;RETURN 0 to go back to the first part of the song, which includes the secret_intro variable and consequently the flag.

Flag capture

🛠️ Exploitation Process

Approach

The automatic exploit connects to the server, sends ;RETURN 0, waits for the entire response, and then extracts the flag from it using a regex.

•  Exploit

🚩 Flag Capture

Flag

picoCTF{70637h3r_f0r3v3r_6c145c84}

Proof of Execution

Screenshot of successful exploitation

🔧 Tools Used

Tool	Purpose
Python	Exploit

💡 Key Learnings

Time Optimization

• Always check what can be done through user input, because that’s usually where the vulnerability lies.

Skills Improved

• Binary Exploitation
• Reverse Engineering
• Web Exploitation
• Cryptography
• Forensics
• OSINT
• Miscellaneous

📊 Final Statistics

Created: 14-03-2025 • Last Modified: 14-03-2025 *Author: mH4ck3r0n3 • Team: *