like1000 picoCTF 2019 Solution

Published: April 2, 2026

Description

This .tar file got tarred 1000 times. Untar it to find the flag.

Download the tar file into a working directory.

bash
mkdir like1000 && cd like1000
bash
wget <url>/1000.tar

Solution

Want to try it yourself first?

The guided walkthrough reveals hints one step at a time.

Walk me through it
  1. Step 1
    Write a loop to extract recursively
    Observation
    I noticed the challenge description says the file was tarred 1000 times, which meant manual extraction was impossible and a scripted loop counting down from 1000 to 1 was the only practical approach.
    The archive is a tar within a tar within a tar, 1000 levels deep. Write a bash loop that repeatedly extracts the tar file until no more tar files exist.
    bash
    for i in $(seq 1000 -1 1); do tar xf $i.tar; done
    What didn't work first

    Tried: Run tar xzf 1000.tar to extract the outermost archive, assuming it is gzip-compressed because .tar files often are.

    tar xzf forces gzip decompression (-z flag) before reading the archive. These nested tars are uncompressed plain tar archives, so tar reports 'gzip: stdin has more than one entry' or a decompression error and exits without extracting. Plain tar xf (no -z) works because it lets tar detect the format automatically.

    Tried: Loop from 1 to 1000 in ascending order with 'for i in $(seq 1 1000); do tar xf $i.tar; done'.

    The outermost file is 1000.tar, which contains 999.tar, and so on. Ascending order tries to extract 1.tar first, but 1.tar does not exist yet - only 1000.tar was downloaded. The loop errors immediately on 'tar: 1.tar: Cannot open: No such file or directory'. Descending order works because each extraction produces the next lower-numbered file before the loop reaches it.

    Learn more

    The tar utility (tape archive) packages multiple files into a single file without compression. Each tar xf file.tar extracts the contents of the archive into the current directory. If the archive contains another .tar file, you need to extract that one too.

    The loop counts from 1000 down to 1 because the outermost archive is 1000.tar, which contains 999.tar, which contains 998.tar, and so on down to 1.tar.

  2. Step 2
    Find the flag file
    Observation
    I noticed the loop had finished running with no more tar files remaining, which indicated the innermost archive had been extracted and the final artifact (flag.png) should now be present in the working directory.
    After the loop completes, the innermost archive yields flag.png (an image, not a text file). Open it to read the flag.
    bash
    ls
    bash
    # the flag is in flag.png - open it in an image viewer

    Expected output

    flag.png
    Learn more

    Each archive also contains a filler file, and depending on the instance the next .tar may land in the current directory or inside a numbered subdirectory. A robust, depth-agnostic loop that handles either layout is a find-based one rather than while [ -f *.tar ] (which errors when the glob matches zero or multiple files):

    while f=$(find . -name '*.tar' | head -1); [ -n "$f" ]; do
      tar -xf "$f" -C "$(dirname "$f")"
      rm "$f"
    done
    # then locate the image:
    find . -name 'flag.png'
Interactive tools
  • File Magic IdentifierIdentify file types from magic numbers. Paste hex bytes or drop a file to detect PNG, JPEG, ZIP, PDF, ELF, PCAP, SQLite, and dozens of other formats.
  • Hex ViewerView text or raw hex bytes as a xxd-style hex dump with byte offset, hex columns, and ASCII sidebar. Highlights printable characters and null bytes.
  • Strings ExtractorPull printable text from any binary, library, or image. ASCII and UTF-16 detection, configurable minimum length, flag-like highlight, no command line needed.

Flag

Reveal flag

picoCTF{l0t5_0f_TAR5}

Repeatedly extract the nested tars (a find-based loop handles whatever subdirectory layout the instance uses) down to the innermost flag.png, then open the image to read the flag.

Key takeaway

Archive formats like tar are containers that can nest arbitrarily: a tar can hold another tar, which holds another, and so on. Scripted loops and recursive extraction are the correct tool whenever manual unpacking is impractical due to depth or count. The same pattern appears in CTF challenges involving nested zip files, compressed firmware images with multiple layers of gzip or LZMA, and malware droppers that unpack themselves in stages to evade static analysis.

Related reading

Want more picoCTF 2019 writeups?

Useful tools for Forensics

What to try next