PicoCTF 2019 Web Exploitation Challenges

بِسْمِ اللهِ الرَّحْمٰنِ الرَّحِيْمِ Hello all, I’m Ahmed Reda(0xhunterr) and this is a walkthrough for PicoCTF 2019 Web Exploitation Challenges, so without further ado let’s get started

1: Insp3ct0r

Description Kishor Balan tipped us off that the following code may need inspection: link

from the challenge name and the hints everywhere about the “inspection”, we know our next step is to Inspect the source HTML code of the page, we can do this by pressing CTRL + u or right click on the page and choosing “View Page Source”

The first thing we search for in such a situation is Comments and it starts with <! — comment in HTML, here we can see one comment

<! — Html is neat. Anyways have 1/3 of the flag: picoCTF{tru3_d3 →

we now know that the flag is divided into 3 parts and we have the first one “picoCTF{tru3_d3 →”

for the rest, we can notice the head of the page has JS, and CSS external files embedded in it, let’s visit them

at the bottom of the CSS file, we got the second part of the flag “t3ct1ve_0r_ju5t”, and for the JS: we got the last part “flag: _lucky?832b0699}”

so let’s concatenate them, it will be: picoCTF{tru3_d3t3ct1ve_0r_ju5t_lucky?832b0699}

2: where are the robots

As usual, the name and the description are more than enough, it’s talking about the famous “robots.txt” file which is a text file that website owners use to communicate with web crawlers or bots, providing instructions on which parts of their site should be crawled and indexed and which parts should be excluded. It’s a standard used by websites to manage their interactions with search engine bots and other web spiders.

it’s important to give it a look it contains some juicy info, so let’s check it by adding /robots.txt to the root path of the website

it says to disallow the “/477ce.html” path, so let’s visit it

and that’s it easy peasy the flag is: picoCTF{ca1cu1at1ng_Mach1n3s_477ce}

Sided Note: u can use any web crawler to solve it

3: logon

From the name and hints it seems to be related to the login process and somehow with Joe himself so let’s try

Tried to log in using “Joe” as username and “test” for password just to test the website logic and it logged me in but saying no flag

At this point, I tried to see the source code but nothing was interesting there, so I tried to sign out and log in with different credentials like admin:admin and I got the same result, from the description and the hint it seems to be the login process not even working so I checked the cookies

and I found a cookie named admin with a false value, changed it to “True” and refreshed the page and here we go picoCTF{th3_c0nsp1r4cy_l1v3s_d1c24fef}

4: dont-use-client-side

again with the client side, It seems to be about client languages like HTML but usually with the validation processes it will be JavaScript so let’s start.

when I visited the page I found a verification box asking about valid creds tried anything to test the behaviour as we did earlier, and it said incorrect password.

so this time seems to be checking and there is logic behind it since the challenge about the client side says “never trust the client” so let’s check for the js files

right click and choose Inspect and go to sources tab here we find an HTML code with some JS logic in the verify function it seems to verify some password with specific string and it seems to be our flag so let’s construct it in a logical ascending order

function verifyPassword(checkpass) {
  if (checkpass.substring(0, split) == 'pico' &&
      checkpass.substring(split, split*2) == 'CTF{' &&
      checkpass.substring(split*2, split*3) == 'no_c' &&
      checkpass.substring(split*3, split*4) == 'lien' &&
      checkpass.substring(split*4, split*5) == 'ts_p' &&
      checkpass.substring(split*5, split*6) == 'lz_1' &&
      checkpass.substring(split*6, split*7) == 'a3c8' &&
      checkpass.substring(split*7, split*8) == '9}') {
    alert("Password Verified");
  } else {
    alert("Incorrect password");
  }
}

and here it is our flag: picoCTF{no_clients_plz_1a3c89}

5: picobrowser

this is how the website looks like and when we press the flag it says:

You’re not picobrowser! Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/119.0.0.0 Safari/537.36

it seems to be the user-agent header, we can spoof it using BurpSuit but let’s practice some CLI, using the following command will add a custom user-agent header (the web shell at the pico website can do the job) :

$ curl "https://jupiter.challenges.picoctf.org/problem/26704/flag" -H "User-Agent: picobrowser"

the flag: picoCTF{p1c0_s3cr3t_ag3nt_e9b160d0}

6: Client-side-again

Client-side is everywhere, from the hint it seems to be the same Idea we solved earlier but with obfuscated code

yeah, as we guessed! this is the obfuscated code

var _0x5a46=['37115}','_again_3','this','Password\x20Verified','Incorrect\x20password','getElementById','value','substring','picoCTF{','not_this'];(function(_0x4bd822,_0x2bd6f7){var _0xb4bdb3=function(_0x1d68f6){while(--_0x1d68f6){_0x4bd822['push'](_0x4bd822['shift']());}};_0xb4bdb3(++_0x2bd6f7);}(_0x5a46,0x1b3));var _0x4b5b=function(_0x2d8f05,_0x4b81bb){_0x2d8f05=_0x2d8f05-0x0;var _0x4d74cb=_0x5a46[_0x2d8f05];return _0x4d74cb;};function verify(){checkpass=document[_0x4b5b('0x0')]('pass')[_0x4b5b('0x1')];split=0x4;if(checkpass[_0x4b5b('0x2')](0x0,split*0x2)==_0x4b5b('0x3')){if(checkpass[_0x4b5b('0x2')](0x7,0x9)=='{n'){if(checkpass[_0x4b5b('0x2')](split*0x2,split*0x2*0x2)==_0x4b5b('0x4')){if(checkpass[_0x4b5b('0x2')](0x3,0x6)=='oCT'){if(checkpass[_0x4b5b('0x2')](split*0x3*0x2,split*0x4*0x2)==_0x4b5b('0x5')){if(checkpass['substring'](0x6,0xb)=='F{not'){if(checkpass[_0x4b5b('0x2')](split*0x2*0x2,split*0x3*0x2)==_0x4b5b('0x6')){if(checkpass[_0x4b5b('0x2')](0xc,0x10)==_0x4b5b('0x7')){alert(_0x4b5b('0x8'));}}}}}}}}else{alert(_0x4b5b('0x9'));}}
so let’s obfuscate the code at (https://deobfuscate.relative.im/) and this is it after deobfuscated:

var _0x5a46 = [
  '37115}',
  '_again_3',
  'this',
  'Password Verified',
  'Incorrect password',
  'getElementById',
  'value',
  'substring',
  'picoCTF{',
  'not_this',
]
;(function (_0x4bd822, _0x2bd6f7) {
  var _0xb4bdb3 = function (_0x1d68f6) {
    while (--_0x1d68f6) {
      _0x4bd822.push(_0x4bd822.shift())
    }
  }
  _0xb4bdb3(++_0x2bd6f7)
})(_0x5a46, 435)
var _0x4b5b = function (_0x2d8f05, _0x4b81bb) {
  _0x2d8f05 = _0x2d8f05 - 0
  var _0x4d74cb = _0x5a46[_0x2d8f05]
  return _0x4d74cb
}
function verify() {
  checkpass = document[_0x4b5b('0x0')]('pass')[_0x4b5b('0x1')]
  split = 4
  if (checkpass[_0x4b5b('0x2')](0, split * 2) == _0x4b5b('0x3')) {
    if (checkpass[_0x4b5b('0x2')](7, 9) == '{n') {
      if (
        checkpass[_0x4b5b('0x2')](split * 2, split * 2 * 2) == _0x4b5b('0x4')
      ) {
        if (checkpass[_0x4b5b('0x2')](3, 6) == 'oCT') {
          if (
            checkpass[_0x4b5b('0x2')](split * 3 * 2, split * 4 * 2) ==
            _0x4b5b('0x5')
          ) {
            if (checkpass.substring(6, 11) == 'F{not') {
              if (
                checkpass[_0x4b5b('0x2')](split * 2 * 2, split * 3 * 2) ==
                _0x4b5b('0x6')
              ) {
                if (checkpass[_0x4b5b('0x2')](12, 16) == _0x4b5b('0x7')) {
                  alert(_0x4b5b('0x8'))
                }
              }
            }
          }
        }
      }
    }
  } else {
    alert(_0x4b5b('0x9'))
  }
}
It’s the same logic but with some decoding and shifting techniques

The _0x5a46 array holds strings that are essential for the password verification logic.
It undergoes a shifting operation in a self-invoking function, effectively rearranging the elements.
The verify function is similar to the one in your previous code, checking specific substrings of the input password.
For example for the decoding process, _0x4b5b('0x3') corresponds to 'picoCTF{', _0x4b5b('0x4') corresponds to 'not_this', and so on
we can use ChatGpt to get a more human-readable code so it will be like that

var strings = [
  '37115}',
  '_again_3',
  'this',
  'Password Verified',
  'Incorrect password',
  'getElementById',
  'value',
  'substring',
  'picoCTF{',
  'not_this',
];

(function (array, shiftAmount) {
  var shift = function (iterations) {
    while (--iterations) {
      array.push(array.shift());
    }
  };

  shift(shiftAmount);
})(strings, 435);

function decode(index) {
  return strings[index];
}

function verify() {
  var checkpass = document[decode(5)]('pass')[decode(6)];
  var split = 4;

  if (checkpass[decode(7)](0, split * 2) == decode(8)) {
    if (checkpass[decode(7)](7, 9) == '{n') {
      if (checkpass[decode(7)](split * 2, split * 2 * 2) == decode(9)) {
        if (checkpass[decode(7)](3, 6) == 'oCT') {
          if (checkpass[decode(7)](split * 3 * 2, split * 4 * 2) == decode(10)) {
            if (checkpass.substring(6, 11) == 'F{not') {
              if (checkpass[decode(7)](split * 2 * 2, split * 3 * 2) == decode(1)) {
                if (checkpass[decode(7)](12, 16) == decode(2)) {
                  alert(decode(3));
                }
              }
            }
          }
        }
      }
    }
  } else {
    alert(decode(4));
  }
}
and now starting the calculations and concatenations :(

but we can cheat a little bit here to make it easier, we know that the values are coming from the array so u can sort the values direct logically.

picoCTF{not_this_again_337115}

7: Irish-Name-Repo 1

hint1:There doesn’t seem to be many ways to interact with this. I wonder if the users are kept in a database? hint2:Try to think about how the website verifies your login.

nothing interesting on the website but the Admin login so let’s go there

‘ OR ‘1’=’1 since the hints mention the database and the login process it’s usually an SQL injection, so let’s try the classic SQL injection, username = admin and password = ‘ OR ‘1’=’1 and here we go picoCTF{s0m3_SQL_f8adf3fb}

8: Irish-Name-Repo 2

sounds like level 2, so it’s about SQLi again but if we try to attempt the same payload it gets detected, and OR and union keywords are filtered also

so from the hint, the password input field is being filtered so we need to comment or bypass the password from the username field without using keywords like OR, if we inspect the HTML code as we did before we will find a hidden input field called debug in the login form with value 0

<form action="login.php" method="POST">
                        <fieldset>
                            <div class="form-group">
                                <label for="username">Username:</label>
                                <input type="text" id="username" name="username" class="form-control">
                            </div>
                            <div class="form-group">
                                <label for="password">Password:</label>
                                <div class="controls">
                                    <input type="password" id="password" name="password" class="form-control">
                                </div>
                            </div>
                            <input type="hidden" name="debug" value="0">

                            <div class="form-actions">
                                <input type="submit" value="Login" class="btn btn-primary">
                            </div>
                        </fieldset>
                    </form>

if we make it “1” it will give us the SQL query that is used

so let’s try admin' — and password anything it doesn’t matter,

here we go: picoCTF{m0R3_SQL_plz_aee925db}

9: Irish-Name-Repo 3

I found the same hidden Parameter as before, changed it to 1, and entered a regular payload like ' or '1'='1 and this is the result:

it seems to be encoding or shifting the SQL keywords like “OR”, it’s using Caesar cipher with offset 13 to encode the payload, so entering 'be '1'='1 would result in being ' or '1'='1 eventually and here we go

10: JaWT Scratchpad

so u will log in with any username u want I used hunter, the challenge name and its description talking about the JWT tokens so when I logged in the first thing I looked for was the token, I got my token and I will try to construct the key from it so that I can make another one for the admin and sign it with the key

let's try to crack the token using Hashcat u can also u can use John the Ripper. save your token in a file like “jwt” and run the following command:

hashcat -a0 -m 16500 jwt /usr/share/wordlists/rockyou.txt

and type the same command with — show switch to see the results now go to this so we can spoof the admin token and sign it with the key we found and type the password ilovepico in the Signing Key and change the user to admin and then copy the cookie now go back to our website challenge and paste it instead of your original jwt, refresh and here we go picoCTF{jawt_was_just_what_you_thought_f859ab2f}

10: Java Script Kiddie

this challenge is just about the js code so let’s take a look at the source code

<html>
 <head>    
  <script src="jquery-3.3.1.min.js"></script>
  <script>
   var bytes = [];
   $.get("bytes", function(resp) {
    bytes = Array.from(resp.split(" "), x => Number(x));
   });

   function assemble_png(u_in){
    var LEN = 16;
    var key = "0000000000000000";
    var shifter;
    if(u_in.length == LEN){
     key = u_in;
    }
    var result = [];
    for(var i = 0; i < LEN; i++){
     shifter = key.charCodeAt(i) - 48;
     for(var j = 0; j < (bytes.length / LEN); j ++){
      result[(j * LEN) + i] = bytes[(((j + shifter) * LEN) % bytes.length) + i]
     }
    }
    while(result[result.length-1] == 0){
     result = result.slice(0,result.length-1);
    }
    document.getElementById("Area").src = "data:image/png;base64," + btoa(String.fromCharCode.apply(null, new Uint8Array(result)));
    return false;
   }
  </script>
 </head>
 <body>

  <center>
   <form action="#" onsubmit="assemble_png(document.getElementById('user_in').value)">
    <input type="text" id="user_in">
    <input type="submit" value="Submit">
   </form>
   <img id="Area" src=""/>
  </center>

 </body>
</html>

this code takes input from the user which is a key 16 char length and uses it to encode a PNG image that comes from /bytes endpoint in the form of bytes so in order to decode it in the right way we should provide the right key, the following are the bytes

128 252 182 115 177 211 142 252 189 248 130 93 154 0 68 90 131 255 204 170 239 167 18 51 233 43 0 26 210 72 95 120 227 7 195 126 207 254 115 53 141 217 0 11 118 192 110 0 0 170 248 73 103 78 10 174 208 233 156 187 185 65 228 0 137 128 228 71 159 10 111 10 29 96 71 238 141 86 91 82 0 214 37 114 7 0 238 114 133 0 140 0 38 36 144 108 164 141 63 2 69 73 15 65 68 0 249 13 0 64 111 220 48 0 55 255 13 12 68 41 66 120 188 0 73 27 173 72 189 80 0 148 0 64 26 123 0 32 44 237 0 252 36 19 52 0 78 227 98 88 1 185 1 128 182 177 155 44 132 162 68 0 1 239 175 248 68 91 84 18 223 223 111 83 26 188 241 12 0 197 57 89 116 96 223 96 161 45 133 127 125 63 80 129 69 59 241 157 0 105 57 23 30 241 62 229 128 91 39 152 125 146 216 91 5 217 16 48 159 4 198 23 108 178 199 14 6 175 51 154 227 45 56 140 221 0 230 228 99 239 132 198 133 72 243 93 3 86 94 246 156 153 123 1 204 200 233 143 127 64 164 203 36 24 2 169 121 122 159 40 4 25 64 0 241 9 94 220 254 221 122 8 22 227 140 221 248 250 141 66 78 126 190 73 248 105 5 14 26 19 119 223 103 165 69 177 68 61 195 239 115 199 126 61 41 242 175 85 211 11 5 250 93 79 194 78 245 223 255 189 0 128 9 150 178 0 112 247 210 21 36 0 2 252 144 59 101 164 185 94 232 59 150 255 187 1 198 171 182 228 147 73 149 47 92 133 147 254 173 242 39 254 223 214 196 135 248 34 146 206 63 127 127 22 191 92 88 69 23 142 167 237 248 23 215 148 166 59 243 248 173 210 169 254 209 157 174 192 32 228 41 192 245 47 207 120 139 28 224 249 29 55 221 109 226 21 129 75 41 113 192 147 45 144 55 228 126 250 127 197 184 155 251 19 220 11 241 171 229 213 79 135 93 49 94 144 38 250 121 113 58 114 77 111 157 146 242 175 236 185 60 67 173 103 233 234 60 248 27 242 115 223 207 218 203 115 47 252 241 152 24 165 115 126 48 76 104 126 42 225 226 211 57 252 239 21 195 205 107 255 219 132 148 81 171 53 79 91 27 174 235 124 213 71 221 243 212 38 224 124 54 77 248 252 88 163 44 191 109 63 189 231 251 189 242 141 246 249 15 0 2 230 7 244 161 31 42 182 219 15 221 164 252 207 53 95 99 60 190 232 78 255 197 16 169 252 100 164 19 158 32 189 126 140 145 158 116 245 68 94 149 111 252 74 135 189 83 74 71 218 99 220 208 87 24 228 11 111 245 1 0 98 131 46 22 94 71 244 22 147 21 83 155 252 243 90 24 59 73 247 223 127 242 183 251 124 28 245 222 199 248 122 204 230 79 219 147 11 225 202 239 24 132 55 89 221 143 151 137 63 150 79 211 8 16 4 60 63 99 65 0 A PNG file starts with a magic signature of eight bytes (89 50 4E 47 0D 0A 1A 0A) followed by a series of chunks, where each chunk header has a well-known structure: 4 bytes of length and 4 bytes of chunk type. The first chunk is called IHDR and has the length of 0XD, so we know that the next 8 bytes are 00 00 00 0D 49 48 44 52 let’s get back to our code

assemble_png Function:

assemble_png function, which takes a user input (u_in) as a parameter.

Sets the default length (LEN) to 16 and initializes a default key string. If the user input has a length of 16 characters, updates the key with the user input. Initializes an empty array result to store the processed bytes. Nested loops iterate over the key and the bytes array to perform a series of calculations and populate the result array. for (var i = 0; i < LEN; i++): This loop iterates over each character in the key string, where LEN is the length of the key (in this case, 16).

shifter = key.charCodeAt(i) - 48;: Calculates a shifter value based on the ASCII code of the current character in the key. The subtraction of 48 is used to convert the ASCII code of a digit character to its numerical value(convert String to Integer). Inner Loop (for loop, iterating over chunks of the 'bytes' array):

for (var j = 0; j < (bytes.length / LEN); j++): This loop iterates over chunks of the bytes array. The division by LEN ensures that each chunk corresponds to a segment of the 'bytes' array. result[(j * LEN) + i] = bytes[(((j + shifter) * LEN) % bytes.length) + i];: Calculates the index for the result array based on the current iteration indices and the shifter value. This line essentially shuffles and assembles the bytes based on the key. For each character of the key, we just need to try all digits until we find one that places the expected value in the current location., this code does this

a="128 252 182 115 177 211 142 252 189 248 130 93 154 0 68 90 131 255 204 170 239 167 18 51 233 43 0 26 210 72 95 120 227 7 195 126 207 254 115 53 141 217 0 11 118 192 110 0 0 170 248 73 103 78 10 174 208 233 156 187 185 65 228 0 137 128 228 71 159 10 111 10 29 96 71 238 141 86 91 82 0 214 37 114 7 0 238 114 133 0 140 0 38 36 144 108 164 141 63 2 69 73 15 65 68 0 249 13 0 64 111 220 48 0 55 255 13 12 68 41 66 120 188 0 73 27 173 72 189 80 0 148 0 64 26 123 0 32 44 237 0 252 36 19 52 0 78 227 98 88 1 185 1 128 182 177 155 44 132 162 68 0 1 239 175 248 68 91 84 18 223 223 111 83 26 188 241 12 0 197 57 89 116 96 223 96 161 45 133 127 125 63 80 129 69 59 241 157 0 105 57 23 30 241 62 229 128 91 39 152 125 146 216 91 5 217 16 48 159 4 198 23 108 178 199 14 6 175 51 154 227 45 56 140 221 0 230 228 99 239 132 198 133 72 243 93 3 86 94 246 156 153 123 1 204 200 233 143 127 64 164 203 36 24 2 169 121 122 159 40 4 25 64 0 241 9 94 220 254 221 122 8 22 227 140 221 248 250 141 66 78 126 190 73 248 105 5 14 26 19 119 223 103 165 69 177 68 61 195 239 115 199 126 61 41 242 175 85 211 11 5 250 93 79 194 78 245 223 255 189 0 128 9 150 178 0 112 247 210 21 36 0 2 252 144 59 101 164 185 94 232 59 150 255 187 1 198 171 182 228 147 73 149 47 92 133 147 254 173 242 39 254 223 214 196 135 248 34 146 206 63 127 127 22 191 92 88 69 23 142 167 237 248 23 215 148 166 59 243 248 173 210 169 254 209 157 174 192 32 228 41 192 245 47 207 120 139 28 224 249 29 55 221 109 226 21 129 75 41 113 192 147 45 144 55 228 126 250 127 197 184 155 251 19 220 11 241 171 229 213 79 135 93 49 94 144 38 250 121 113 58 114 77 111 157 146 242 175 236 185 60 67 173 103 233 234 60 248 27 242 115 223 207 218 203 115 47 252 241 152 24 165 115 126 48 76 104 126 42 225 226 211 57 252 239 21 195 205 107 255 219 132 148 81 171 53 79 91 27 174 235 124 213 71 221 243 212 38 224 124 54 77 248 252 88 163 44 191 109 63 189 231 251 189 242 141 246 249 15 0 2 230 7 244 161 31 42 182 219 15 221 164 252 207 53 95 99 60 190 232 78 255 197 16 169 252 100 164 19 158 32 189 126 140 145 158 116 245 68 94 149 111 252 74 135 189 83 74 71 218 99 220 208 87 24 228 11 111 245 1 0 98 131 46 22 94 71 244 22 147 21 83 155 252 243 90 24 59 73 247 223 127 242 183 251 124 28 245 222 199 248 122 204 230 79 219 147 11 225 202 239 24 132 55 89 221 143 151 137 63 150 79 211 8 16 4 60 63 99 65 0 2" #Here, type your bytes
a=a.split()
h=[]
m=['0x89','0x50','0x4e','0x47','0xd','0xa','0x1a','0xa','0x0','0x0','0x0','0xd','0x49','0x48','0x44','0x52']
k=[]
k1=[]
 
for i in range(len(a)):
    h.append(hex(int(a[i])))
 
for i in range(10):
    for j in range(16):
        k.append(h[j+(i*16)])
    k1.append(k)
    k=[]
 
# print(len(k1[0]))
# print(len(k1))
 
 
for i in range(16):
    for j in range(10):
        if (m[i] == k1[j][i]):
            print(j,end=" ")
    print()

so let’s go back and enter the key: 4894748485167104

let’s read the QR code

and finally, here we go picoCTF{7b15cfb95f05286e37a22dda25935e1e}

12: Java Script Kiddie 2

<html>
 <head>    
  <script src="jquery-3.3.1.min.js"></script>
  <script>
   var bytes = [];
   $.get("bytes", function(resp) {
    bytes = Array.from(resp.split(" "), x => Number(x));
   });

   function assemble_png(u_in){
    var LEN = 16;
    var key = "00000000000000000000000000000000";
    var shifter;
    if(u_in.length == key.length){
     key = u_in;
    }
    var result = [];
    for(var i = 0; i < LEN; i++){
     shifter = Number(key.slice((i*2),(i*2)+1));
     for(var j = 0; j < (bytes.length / LEN); j ++){
      result[(j * LEN) + i] = bytes[(((j + shifter) * LEN) % bytes.length) + i]
     }
    }
    while(result[result.length-1] == 0){
     result = result.slice(0,result.length-1);
    }
    document.getElementById("Area").src = "data:image/png;base64," + btoa(String.fromCharCode.apply(null, new Uint8Array(result)));
    return false;
   }
  </script>
 </head>
 <body>

  <center>
   <form action="#" onsubmit="assemble_png(document.getElementById('user_in').value)">
    <input type="text" id="user_in">
    <input type="submit" value="Submit">
   </form>
   <img id="Area" src=""/>
  </center>

 </body>
</html>

We can see one main changes from last time: The key length is still 16 but the key itself has 32 characters. It looks like every second character is just a filler (shifter = Number(key.slice((i2),(i2)+1))) so this shouldn't matter much.

252 127 185 254 13 114 103 73 255 0 0 13 231 72 219 16 59 96 78 211 0 159 239 10 62 0 0 0 66 192 242 71 20 140 1 9 118 53 68 114 248 120 156 237 73 81 162 187 160 125 0 134 173 73 60 65 112 14 208 163 0 55 252 71 48 119 134 121 244 29 251 116 69 192 229 223 155 201 223 0 157 186 146 0 134 157 175 251 0 227 124 15 56 33 255 82 191 80 12 71 181 0 170 31 1 56 239 188 7 206 232 108 137 0 241 114 98 10 119 17 84 253 34 83 2 209 130 227 0 0 95 2 227 0 0 80 97 36 145 72 243 57 68 35 164 12 7 127 183 73 26 120 113 239 252 247 17 98 95 58 48 213 8 163 33 3 1 171 66 13 236 67 146 113 138 254 205 192 145 219 156 0 68 208 14 2 246 56 248 79 216 239 203 10 136 147 64 122 121 231 6 81 142 181 237 249 73 136 165 243 57 241 125 252 5 20 144 20 40 19 255 146 89 51 188 76 244 218 127 107 145 68 217 202 41 3 199 149 59 42 136 246 123 182 242 252 250 72 61 127 16 175 0 121 135 73 128 36 112 88 8 33 0 123 250 1 246 56 50 88 144 240 83 186 27 136 208 239 163 238 1 156 205 221 249 191 17 240 124 99 0 19 155 0 243 172 228 114 48 215 255 28 254 51 121 122 28 90 223 25 25 43 203 243 246 45 7 115 252 72 145 108 219 156 200 21 44 210 156 101 172 161 166 123 231 82 255 0 255 211 22 40 9 173 219 58 155 187 144 212 245 221 25 169 157 43 46 249 63 172 208 204 201 90 75 133 145 245 234 50 143 32 183 84 191 252 144 172 161 160 91 41 39 128 143 195 178 151 123 114 88 197 94 51 4 241 110 92 190 77 199 254 63 35 40 107 240 62 101 130 152 143 155 199 31 162 253 112 214 118 130 252 113 211 90 243 34 35 42 90 44 112 233 87 158 242 237 99 19 160 5 222 40 203 178 14 172 201 235 10 222 223 128 191 75 241 37 135 217 227 69 99 5 74 201 103 16 251 75 249 115 41 25 171 34 214 185 252 154 95 104 68 245 127 156 67 115 221 21 233 251 74 252 253 213 103 171 32 233 129 251 230 245 206 210 173 156 246 186 111 195 129 7 242 207 111 6 0 190 144 91 163 233 250 218 247 126 242 240 110 108 255 176 116 155 114 136 41 211 101 251 165 249 181 51 238 185 69 181 147 151 210 249 154 62 105 85 123 127 237 155 95 254 234 251 116 25 43 230 91 59 56 48 223 146 35 191 223 61 147 42 230 111 90 131 95 245 174 57 248 249 252 140 155 95 177 158 163 25 146 149 57 93 7 114 16 252 54 191 159 183 210 121 239 192 5 198 30 31 91 103 129 219 69 78 201 29 12 150 201 149 157 173 63 217 41 0 215 175 105 63 119 122 203 201 113 58 190 48 252 85 183 147 248 252 247 237 207 99 242 231 229 57 121 212 254 15 91 127 30 227 246 207 252 222 240 0 254 172 254 112 78 68 174 188 96 141 140 or u can double the value u get when u run the old script 77661166007799115500000022008855

that’s it we finished today's challenges