 What's up everybody, John Hammond at Pico CTF 2019. This challenge is called The Numbers. It's for 50 points in the cryptography category. It simply says The Numbers, what do they mean? Hint here it has the flag is in format Pico CTF, all capital letters. So let's go ahead and figure out what this is. I'm going to W get this. Just make a little directory for us. The Numbers, if I could type, wow, third time's the charm. Let's W get that. Let's throw that in there totally filled on that copy and paste. So let's throw that. All right, now we have the Numbers. It's a PNG file. Let's go ahead and open it up with I of GNOME. So we have this picture here. And we have seemingly just some Numbers represented with lots of MS Paint, the spray tool there. That's really funny, red, blue, and gray, whatever. I note that I can see a curly brace in there, kind of opening and closing. And what could these Numbers mean, right? That's kind of the question here. What you might notice is that they're all within the range, or at least seemingly, they're all less than 26. I don't know if you can kind of delineate the space as well enough, but I see a 16 here, a 9, a 3. This is a 15. And it might be kind of tight to determine which is a space or which isn't for actually putting a number together. I think I know a friend of mine that actually had some trouble with that. But that is what we're looking at, 16, 9, 3, 15, 3, 26. And all of these might map to actual letters in the alphabet. Maybe trying to build out the flag just with its numeric representation or the index or the location of where that number is in the alphabet. So let's try and piece that together. I'm going to use Python for that. So if I were to take a look and I were to see, let's just grab the alphabet from string. Let's do from string import lowercase. Can I do that? Or is it ASCII lowercase? I guess I need ASCII. And if it's going to be in uppercase too, because the flag format, let's try ASCII uppercase. I'm going to just save that as uppercase. That's nice and easy for me. So I can do uppercase. And there's our whole alphabet. And let's index it at 16. It puts us at Q, but that doesn't particularly help us. We wanted P for pico CTF. Don't forget that this is 0 based. So when the picture tells us 16, we still actually need to go minus 1. And that would get us 15 for p. And what was the other one? 3, right? Or something. Let me split my screen here. EOG, the numbers, it was 9, 9 and 3. So that would mean 8i, 3, which would mean 2, which would be C. OK. So you can see, PIC, we're starting to spell out pico. Therefore, this has to be the correct analogy. Maybe we're just looking at our flag here. So let's write a simple script to burn through this. I'm going to keep our numbers script available to us, so I can just simply write that. Subtle, do a little get flag dot pi. And we'll create a user bin environment, Python. Let's get our pictures back. And let's say numbers can equal. We had 16, we had 9, we had 3, 15, 3. This is exciting. This is thrilling. I know this is absolutely what you wanted to see here. And let's just use a string here for that. Let's use 28, 5, 14, 21. OK, so now I have all of the numbers put into a script or an array here that I can run through in Python. Nice and easy for us. Let's zoom in on that a little bit, so it's a little bit easier to read. And let's say for C in numbers or n, whatever we particularly want, doesn't matter. We can say, pull that from the alphabet again, from string, import, like that, maximize. I brought that to my other monitor, sorry, import, ask the uppercase as uppercase. So let's get, let's start a flag as a list. Scrolling through my subline text tabs here, my bad. Let's do flag.append the uppercase index for n minus 1. But if that n happens to be a string, will that work for me? Then let's just do flag.append.n else we'll do that. So now if I were to take a look at what my flag actually looks like, if I join it all together with an empty string as a kind of delimiter there, run this, run it with Python, I have an error because I'm bad. Python command not found. You're a jerks of the line text. Let's go ahead and run this here. Let's use Python, get flag, and picoctf, the numbers, Mason. That's it, that's what we were looking for. Let's go ahead and copy that. I'll redirect that to a flag.text. So we can save it, paste it in here, there we go. That's correct, that's the right flag, and we're done. Let's finish that, and now the numbers is complete. That's that, I hope you enjoyed that. Let's go take a look at that script one more time. All I did was work with it. Let's mark that as executable real quick. Cool. All we have here is just the numbers all on new lines. We can actually modify that. Let's make all the new line characters a simple space. Oh, that was bad. I did them for the whole file. Let's do that one more time with just the selection that we're actually looking at. And all my tab characters, in no way, that looks kind of funky. Let's remove the tabs, also two spaces. Now I have two spaces, so that just looks funny. So all of our numbers are imported into our Python script. We just create a simple array or a list that we can actually encapsulate that all in. I removed my tabs here on accident, but Python will deal with it. I determined if that current iterator, Rn, is a string for these curly braces to note the beginning and the end of the actual flag. We just dealt with it, we added that N itself. If it were a number, something that's not a string, right, our else condition there, we took that index as part of the alphabet and it's all uppercase renditions and we would go ahead and print that out when that list is all joined together with empty string. So that's that, hope you guys enjoyed it. That's a little bit quick Python, just looping through the alphabet nice and easy, but I hope you enjoyed. I'll see you in the next video. Hope to see you on Discord. There's a link in the description. Please do join that server. Lots of crazy smart people, much smarter than me. Discord, Patreon, PayPal, Instagram, Facebook, LinkedIn, all the stuff. Love to see you on social media. Take care, guys. ["Discord"]