Description
A musician who calls himself Mr. Worldwide has hidden a flag using GPS coordinates. Each coordinate maps to a city - the first letters spell the flag.
Setup
Download the file containing the coordinates.
wget <url>/message.txtSolution
Want to try it yourself first?
The guided walkthrough reveals hints one step at a time.
Step 1
Read the coordinate listObservationI noticed the challenge description said coordinates were involved and the setup step downloaded message.txt, which suggested the first action was to inspect the file contents to see how many coordinate pairs there were and what format they used.Open the file. It contains a list of GPS coordinates (latitude, longitude pairs). Each coordinate points to a specific location on Earth.bashcat message.txtWhat didn't work first
Tried: Treat the raw coordinate numbers as an encoding directly (e.g. convert decimal degrees to ASCII).
Latitude and longitude values like 35.6895 and 139.6917 are floating-point degree values, not character codes. Treating them as ASCII or base-10 integers produces garbage output. The coordinates are inputs to a reverse-geocoding lookup, not a numeric cipher.
Tried: Search for a pattern in the decimal parts of each coordinate, assuming the flag is hidden in the fractional digits.
The fractional parts of the coordinates are real GPS precision values, not encoded data. There is no hidden pattern in the decimals themselves. The flag encoding operates entirely at the level of city names derived from reverse geocoding.
Learn more
GPS coordinates use the WGS84 datum. Latitude ranges from -90 (South Pole) to +90 (North Pole). Longitude ranges from -180 to +180, with 0 at the Prime Meridian through Greenwich, England. Positive longitude is East, negative is West.
Step 2
Geocode each coordinate to a city nameObservationI noticed the challenge title references Mr. Worldwide (a play on the name of rapper Pitbull, who calls himself Mr. Worldwide) and the description said the first letters of city names spell the flag, which suggested each coordinate needed to be reverse-geocoded to recover those city names.For each coordinate pair, use Google Maps (paste coordinates into the search bar) or a geocoding API to find the nearest city. Note the first letter of each city name.pythonpython3 << 'EOF' # Using geopy for reverse geocoding from geopy.geocoders import Nominatim geolocator = Nominatim(user_agent="picoctf") coords = [ # (lat, lon), # paste coordinates here ] for lat, lon in coords: location = geolocator.reverse(f"{lat}, {lon}") print(location.address) EOFWhat didn't work first
Tried: Use the street or neighborhood name from the geocoder result instead of the city name.
Nominatim returns a full address string that may start with a street name, suburb, or district. Taking the first letter of that full string gives the wrong character. The challenge uses the major city name specifically - look for the city or town field in the parsed address components, not the raw address string.
Tried: Run the geopy script against only the first coordinate to test it, then assume the rest will work the same way.
Nominatim rate-limits requests and may return slightly different result formats depending on the coordinate. Some coordinates may resolve to a country name or administrative region rather than a city if the point is in a rural area. Each coordinate must be checked and the city name verified individually before extracting its first letter.
Learn more
Reverse geocoding converts coordinates to a human-readable address. The Nominatim service (powered by OpenStreetMap) is free for low-volume use. Google Maps Geocoding API is more accurate but requires an API key.
For this challenge, the important part is the city name, not the full address. Focus on the major city closest to each coordinate.
Step 3
Take first letters to spell the flagObservationI noticed the description explicitly stated that the first letters of the city names spell the flag, which confirmed this acrostic step was the final decoding operation needed to assemble the picoCTF{...} answer.Collect the first letter of each city name in order. These letters form the flag content. Wrap the result in picoCTF{...}.Learn more
This encoding technique is called an acrostic - using the first letter of each word or item to spell a hidden message. It has been used in literature, art, and espionage for centuries.
Interactive tools
- Base64 & Base32 DecoderDecode Base64 and Base32 strings with auto-detection. Multi-layer mode unwraps nested encodings automatically.
- Recipe ChainStack decoders into a pipeline: Base64, hex, ROT, XOR, Morse, URL, Atbash, Vigenère, and more. Magic mode auto-discovers the chain. Bookmark the URL to save it.
- Number Base ConverterConvert numbers between binary, octal, decimal, and hexadecimal instantly. Enter any value and see all four bases update in real time.
Flag
Reveal flag
picoCTF{KODIAK_ALASKA}
Geocode each coordinate to a city and take the first letter of each city name - they spell out the flag.