Prompt
We have created a python script for you to break into as training. See if you can figure out a password that will authenticate with the program.
Walk-Through
This challenge involves analyzing vulnerabilities in a compiled Python program. Notice that the contents of the file are not initially human readable. A .pyc filetype is Python compiled bytecode of a Python (.py) source file, so it is meant to be machine readable. We’ll need to convert this file back to the source code.
The uncompyle program can be used to convert the compiled program back into Python code. It is a decompiler that accepts bytecode from Python versions 1.5 up to 3.7. If you already have uncompyle installed, be sure to check for the correct version number. No matter what version you use, the syntax used in the command below should decompile the .pyc file:
uncompyle2 PYTHON2.pyc > python2.pyThe result of running uncompyle2 PYTHON2.pyc > python2.py can be seen below:
Guide
This guide will review the lines of the main function in order to better understand how to get the correct password, or ‘secret key’— as referred to in the question— that can pass validation. For this challenge, we want to get the output “correct” to print after running the program.
The first few lines of the main function are exactly like the Python1 challenge; refer there for an explanation of sys.argv.
Lines 9-12 initializes the variablevals with a list of characters. If the length (in characters) of password and vals does not match then the program outputs ‘incorrect’ and the program ends.
vals = list('tfzbwlyzljylawhzzdvyk')
if len(password) != len(vals):
print 'incorrect'
returnOn line 13 a ‘while’ loop is initialized and only executes if the counter variable is less than the length of password. On lines 14-16, ‘7’ is added to the Unicode value of the characters of password. If the value of x goes beyond the Unicode value for letter ‘z’, 26 is subtracted from the Unicode value so it loops back to a value for a letter at the beginning of the alphabet. This is very similar to how a Caesar Cipher would work.
The second ‘if’ condition checks to see that the character for the calculated x variable matches the vals list. If any value doesn’t match, the program will print ‘incorrect’ and end.
while counter < len(password):
x = ord(password[counter]) + 7
if x > ord('z'):
x -= 26
if chr(x) != vals[counter]:
print 'incorrect'
return
counter += 1To solve the challenge, you would need to shift each character in vals backwards 7 positions in the alphabet to make it look like the ‘secret key’ that should be entered. This could be done manually or by using a tool like CyberChef.
Helpful tools for this challenge:
uncompyle2- CyberChef
Tutorial Video
Cyber Skyline Live - Code Reverse Engineering Basics - March 10, 2022
In Cyber Skyline Live - Code Reverse Engineering Basics, you'll learn from Franz Payer, CEO of Cyber Skyline, about how to analyze source code and bypass basic authentication mechanisms. Reach out with questions at contact@cyberskyline.com. Cyber Skyline is the organizer of the National Cyber League, a bi-annual, all-virtual cybersecurity student competition, advancing hands-on skills and knowledge. Check the website at nationalcyberleague.org for details on NCL.
www.youtube.com
Questions
1. What is a secret key that will pass validation?
Shift each character in the vals array backwards 7 positions in the alphabet. You can use a tool such as CyberChef to do this.
©️ 2025 Cyber Skyline. All Rights Reserved. Unauthorized reproduction or distribution of this copyrighted work is illegal.