From the source code we can observe that there is a flag hidden in the lyrics of a song. Once we connect to the terminal, it will start printing the song, but it will start from '[VERSE1]'.
We can also observe that the whole song is passed to the function, we need to find a way to make the song start from the beginning.
If we let run the song, eventually it will ask for an user input, let's look the code for this operation:
crowd = input('Crowd: ')
song_lines[lip] = 'Crowd: ' + crowd
Interestingly our input is gonna override the text of the song. Let's find a way to abuse this.
This is how each line is being processed:
for line in song_lines[lip].split(';'):
if line == '' and song_lines[lip] != '':
continue
if line == 'REFRAIN':
song_lines[refrain_return] = 'RETURN ' + str(lip + 1)
lip = refrain
elif re.match(r"CROWD.*", line):
crowd = input('Crowd: ')
song_lines[lip] = 'Crowd: ' + crowd
lip += 1
elif re.match(r"RETURN [0-9]+", line):
lip = int(line.split()[1])
elif line == 'END':
There are three really importat things that this code tell us:
From this observations we can easly construct the following payload:
;RETURN 0
The next time the refrain is called, our 'RETRUN 0' will be parsed before the original 'RETURN'. The lip variable will be updated to 0, and the song will start from the secret intro.