Skip to content


After tryng the program a bit I noticed that using flag{ as input the first part of the new encrypted text and the encrypted flag was the same. I coded a program that will try every possible combination of characters position by position calculating which of the character produce the best output:

#!/usr/bin/env python3

from pwn import *

connection = remote('',31921)

def get_guess_fitness(encrypted_flag: str, guessed_flag: str):
    mathing_characters = 0
    for encrypted_flag_character, guessed_flag_character in zip(encrypted_flag, guessed_flag):
        if(encrypted_flag_character == guessed_flag_character):
            mathing_characters +=  1

    return mathing_characters / len(encrypted_flag)

with log.progress('Getting encrypted flag...') as p:
    connection.recvline('NINA: Hello! I found a flag, look!')
    encrypted_flag = connection.recvline().decode().strip()

with log.progress('Guessing flag...') as p:
    flag_guess = ''
    current_fitness = 0;
    alphabet = list(string.printable)[:-6]

    while current_fitness != 1:
        new_character = ''

        for character in alphabet:
            p.status(flag_guess + character)
            connection.send(flag_guess + character)
            connection.recvline("""connection.recvline('NINA: Ta-daaa!! I think this is called a 'one' 'time' 'pad' or something?')""")

            encrypted_guess = connection.recvline().decode().strip()
            new_fitness = get_guess_fitness(encrypted_flag, encrypted_guess)
            if(new_fitness > current_fitness):
                new_character = character
                current_fitness = new_fitness

        flag_guess += new_character



Executing the program will give us the flag:

└─$ ./
[+] Opening connection to on port 31921: Done
[+] Getting encrypted flag...: Done
[+] Guessing flag...: flag{9276cdb76a3dd6b1f523209cd9c0a11b}
[*] Closed connection to port 31921