I just solved this, after much head-scratching. But, I have to say that there IS a clear clue as to which of the variables contains the password. It is there in plain sight once you do the normal stuff to read it. You just need to understand how the logic of the code hides it from you.

this challenge is a shit show. just try bunch of strings you can generate from the script. that’s it

Wow, i made it way more complicated than it was. And yeah, it was kinda bad. :frowning:

I enjoyed the reverse engineering part that took me all of 2 minutes (it is meant to be very easy ofc)

I didn’t enjoy spending like 2 hours, even enlisting the help of a friend, trying to figure out the flag format :S if you’re into puzzles in general you’ll like it but I didn’t learn anything related to cyber security from that part.

my hint: look at what you’ve figured out, and then look at how the snake’s chains are created. Don’t assume the code is complete or works!

@izzie said:

It isn’t correct. There is another thread which explains but it also misleads terribly. It made this quirky challenge a lot harder than it is so I am loathe to send you there. You must take the program at its word. It isn’t really a troll or it is but… argh.

Anyway, you’re only half right so…

heyy i stuck at the same problem can you help me or gve mea hint ?

@mrtnrdl said:
Wow, i made it way more complicated than it was. And yeah, it was kinda bad. :frowning:


@CeltSec said:
my hint: look at what you’ve figured out, and then look at how the snake’s chains are created. Don’t assume the code is complete or works!

This is very true. :+1:

I got the good job. But what to do after that? any hints?

I just did this one. The way you get the username makes sense and the way you can get the password does as well, sort of. The removal of the last part makes no sense to me, and the fact that the code is “broken”. What is the point of that? The confirmation of the password done in the code is broken, and the append thing is just, uhm, what is the point? I don’t understand the challenge. It just seems silly to me. Some of the other challenges are “real life” like, not like this one. Am I the only one who feels like this? I am new to this whole reverse engineering and stego part of this.

Not a good reversal at all… was able to quickly determine what was useful code, and in the hours that followed I became quite competent in coming up with passwords that all return ‘Good Job’, but none of them were accepted.

There is no logical reason why you should enter that specific (part of the) password. I only took to the forums to see whether I was the only one not getting the expected result.

I thought I’d start with a simple one and work my way up from there, but this one is pretty frustrating, might make people lose interest…

I have the flag but I, like others cannot submit it because it says incorrect. I tried formatting it a few times but have gotten no results. Its a bit of a bummer to solve the challenge but not be able to submit it.

Took me a while to figure out the REAL password too. Here’s a hint:
Once you get the “first” password, it’ll be pretty long. Try to decode the arrays at top. Some of them are just trolls, but one of those trolls might tell you that a certain part of that password can be left out.

You’ve already done the hard part, this is the easy part. Good luck!

and of course, make sure you submit the key in the HTB{username:password} format.

So I’m new to HTB. I got the snake password within the first 10 minutes of reading the python script. The whole thing took me about 3 hours, because my dumb@$$ didn’t realize it needed to be in {}, I was using () for about 2 hours lol

Stuck ! I have them all de-coded. But what ever combination I use, i get “Try Harder”

Wont python knolage

I thought this shitty task was already retired :smiley: But people still bang their heads against a wall. This task won’t teach you anything. It’s just a flag bruteforcing task using strings from the script.

Got the “Good Job” within 5 minutes, but the password didn’t work? I had to just brute force it by putting in shorter and shorter lengths until it was accepted. Seriously, WTF? This was garbage.

I finally got this to submit. Just think about the format of the Token and how the “password” might screw that up. This was a needlessly broken flag.

The reversing was cool, just the flag structure is jacked.

Was a funny one, easy to solve… if it would not be so jacked from the flag itself…