Nice netcat...

2 minutes to read

We are given host and a port for a remote instance. If we stablish a connection using nc we get a bunch of numbers:

$ nc mercury.picoctf.net 22902  
112
105
99
111
67
84
70
123
103
48
48
100
95
107
49
116
116
121
33
95
110
49
99
51
95
107
49
116
116
121
33
95
100
51
100
102
100
54
100
102
125
10
^C

These numbers seem to be the ASCII decimal representation of some characters.

For instance, 112 is p, 105 is i, 99 is c and 111 is o. So the numbers are the flag but in ASCII.

To decode the flag, we can use some shell scripting and Python. Since nc is keeping the connection open we can close it using timeout.

$ timeout 1 nc mercury.picoctf.net 22902 | xargs
112 105 99 111 67 84 70 123 103 48 48 100 95 107 49 116 116 121 33 95 110 49 99 51 95 107 49 116 116 121 33 95 100 51 100 102 100 54 100 102 125 10  

$ python3 -c "print('$(timeout 1 nc mercury.picoctf.net 22902 | xargs)')"
112 105 99 111 67 84 70 123 103 48 48 100 95 107 49 116 116 121 33 95 110 49 99 51 95 107 49 116 116 121 33 95 100 51 100 102 100 54 100 102 125 10

$ python3 -c "print(''.join(map(chr, map(int, '$(timeout 1 nc mercury.picoctf.net 22902 | xargs)'.split()))))"
picoCTF{g00d_k1tty!_n1c3_k1tty!_d3dfd6df}

The flag can also be decoded using a Python script with pwntools:

from pwn import context, remote

context.log_level = 'CRITICAL'
r = remote('mercury.picoctf.net', 22902)

flag = []

while (c := r.recvline().strip()) != b'10':  
    flag.append(chr(int(c.decode())))

r.close()

print(''.join(flag))

$ python3 solve.py
picoCTF{g00d_k1tty!_n1c3_k1tty!_d3dfd6df}