Description
This .tar file got tarred 1000 times. Untar it to find the flag.
Setup
Download the tar file into a working directory.
mkdir like1000 && cd like1000wget <url>/1000.tarSolution
Want to try it yourself first?
The guided walkthrough reveals hints one step at a time.
Step 1
Write a loop to extract recursivelyObservationI noticed the challenge description says the file was tarred 1000 times, which meant manual extraction was impossible and a scripted loop counting down from 1000 to 1 was the only practical approach.The archive is a tar within a tar within a tar, 1000 levels deep. Write a bash loop that repeatedly extracts the tar file until no more tar files exist.bashfor i in $(seq 1000 -1 1); do tar xf $i.tar; doneWhat didn't work first
Tried: Run tar xzf 1000.tar to extract the outermost archive, assuming it is gzip-compressed because .tar files often are.
tar xzf forces gzip decompression (-z flag) before reading the archive. These nested tars are uncompressed plain tar archives, so tar reports 'gzip: stdin has more than one entry' or a decompression error and exits without extracting. Plain tar xf (no -z) works because it lets tar detect the format automatically.
Tried: Loop from 1 to 1000 in ascending order with 'for i in $(seq 1 1000); do tar xf $i.tar; done'.
The outermost file is 1000.tar, which contains 999.tar, and so on. Ascending order tries to extract 1.tar first, but 1.tar does not exist yet - only 1000.tar was downloaded. The loop errors immediately on 'tar: 1.tar: Cannot open: No such file or directory'. Descending order works because each extraction produces the next lower-numbered file before the loop reaches it.
Learn more
The tar utility (tape archive) packages multiple files into a single file without compression. Each
tar xf file.tarextracts the contents of the archive into the current directory. If the archive contains another .tar file, you need to extract that one too.The loop counts from 1000 down to 1 because the outermost archive is 1000.tar, which contains 999.tar, which contains 998.tar, and so on down to 1.tar.
Step 2
Find the flag fileObservationI noticed the loop had finished running with no more tar files remaining, which indicated the innermost archive had been extracted and the final artifact (flag.png) should now be present in the working directory.After the loop completes, the innermost archive yields flag.png (an image, not a text file). Open it to read the flag.bashlsbash# the flag is in flag.png - open it in an image viewerExpected output
flag.png
Learn more
Each archive also contains a filler file, and depending on the instance the next
.tarmay land in the current directory or inside a numbered subdirectory. A robust, depth-agnostic loop that handles either layout is a find-based one rather thanwhile [ -f *.tar ](which errors when the glob matches zero or multiple files):while f=$(find . -name '*.tar' | head -1); [ -n "$f" ]; do tar -xf "$f" -C "$(dirname "$f")" rm "$f" done # then locate the image: find . -name 'flag.png'
Interactive tools
- File Magic IdentifierIdentify file types from magic numbers. Paste hex bytes or drop a file to detect PNG, JPEG, ZIP, PDF, ELF, PCAP, SQLite, and dozens of other formats.
- Hex ViewerView text or raw hex bytes as a xxd-style hex dump with byte offset, hex columns, and ASCII sidebar. Highlights printable characters and null bytes.
- Strings ExtractorPull printable text from any binary, library, or image. ASCII and UTF-16 detection, configurable minimum length, flag-like highlight, no command line needed.
Flag
Reveal flag
picoCTF{l0t5_0f_TAR5}
Repeatedly extract the nested tars (a find-based loop handles whatever subdirectory layout the instance uses) down to the innermost flag.png, then open the image to read the flag.