Mr-Worldwide picoCTF 2019 Solution

Published: April 2, 2026

Description

A musician who calls himself Mr. Worldwide has hidden a flag using GPS coordinates. Each coordinate maps to a city - the first letters spell the flag.

Download the file containing the coordinates.

bash
wget <url>/message.txt

Solution

Want to try it yourself first?

The guided walkthrough reveals hints one step at a time.

Walk me through it
  1. Step 1
    Read the coordinate list
    Observation
    I noticed the challenge description said coordinates were involved and the setup step downloaded message.txt, which suggested the first action was to inspect the file contents to see how many coordinate pairs there were and what format they used.
    Open the file. It contains a list of GPS coordinates (latitude, longitude pairs). Each coordinate points to a specific location on Earth.
    bash
    cat message.txt
    What didn't work first

    Tried: Treat the raw coordinate numbers as an encoding directly (e.g. convert decimal degrees to ASCII).

    Latitude and longitude values like 35.6895 and 139.6917 are floating-point degree values, not character codes. Treating them as ASCII or base-10 integers produces garbage output. The coordinates are inputs to a reverse-geocoding lookup, not a numeric cipher.

    Tried: Search for a pattern in the decimal parts of each coordinate, assuming the flag is hidden in the fractional digits.

    The fractional parts of the coordinates are real GPS precision values, not encoded data. There is no hidden pattern in the decimals themselves. The flag encoding operates entirely at the level of city names derived from reverse geocoding.

    Learn more

    GPS coordinates use the WGS84 datum. Latitude ranges from -90 (South Pole) to +90 (North Pole). Longitude ranges from -180 to +180, with 0 at the Prime Meridian through Greenwich, England. Positive longitude is East, negative is West.

  2. Step 2
    Geocode each coordinate to a city name
    Observation
    I noticed the challenge title references Mr. Worldwide (a play on the name of rapper Pitbull, who calls himself Mr. Worldwide) and the description said the first letters of city names spell the flag, which suggested each coordinate needed to be reverse-geocoded to recover those city names.
    For each coordinate pair, use Google Maps (paste coordinates into the search bar) or a geocoding API to find the nearest city. Note the first letter of each city name.
    python
    python3 << 'EOF'
    # Using geopy for reverse geocoding
    from geopy.geocoders import Nominatim
    geolocator = Nominatim(user_agent="picoctf")
    
    coords = [
        # (lat, lon),
        # paste coordinates here
    ]
    
    for lat, lon in coords:
        location = geolocator.reverse(f"{lat}, {lon}")
        print(location.address)
    EOF
    What didn't work first

    Tried: Use the street or neighborhood name from the geocoder result instead of the city name.

    Nominatim returns a full address string that may start with a street name, suburb, or district. Taking the first letter of that full string gives the wrong character. The challenge uses the major city name specifically - look for the city or town field in the parsed address components, not the raw address string.

    Tried: Run the geopy script against only the first coordinate to test it, then assume the rest will work the same way.

    Nominatim rate-limits requests and may return slightly different result formats depending on the coordinate. Some coordinates may resolve to a country name or administrative region rather than a city if the point is in a rural area. Each coordinate must be checked and the city name verified individually before extracting its first letter.

    Learn more

    Reverse geocoding converts coordinates to a human-readable address. The Nominatim service (powered by OpenStreetMap) is free for low-volume use. Google Maps Geocoding API is more accurate but requires an API key.

    For this challenge, the important part is the city name, not the full address. Focus on the major city closest to each coordinate.

  3. Step 3
    Take first letters to spell the flag
    Observation
    I noticed the description explicitly stated that the first letters of the city names spell the flag, which confirmed this acrostic step was the final decoding operation needed to assemble the picoCTF{...} answer.
    Collect the first letter of each city name in order. These letters form the flag content. Wrap the result in picoCTF{...}.
    Learn more

    This encoding technique is called an acrostic - using the first letter of each word or item to spell a hidden message. It has been used in literature, art, and espionage for centuries.

Interactive tools
  • Base64 & Base32 DecoderDecode Base64 and Base32 strings with auto-detection. Multi-layer mode unwraps nested encodings automatically.
  • Recipe ChainStack decoders into a pipeline: Base64, hex, ROT, XOR, Morse, URL, Atbash, Vigenère, and more. Magic mode auto-discovers the chain. Bookmark the URL to save it.
  • Number Base ConverterConvert numbers between binary, octal, decimal, and hexadecimal instantly. Enter any value and see all four bases update in real time.

Flag

Reveal flag

picoCTF{KODIAK_ALASKA}

Geocode each coordinate to a city and take the first letter of each city name - they spell out the flag.

Key takeaway

Acrostic encoding hides a message in the initial letters of a sequence of items, whether words, lines, or in this case geographic place names. The technique has appeared in poetry, propaganda, and steganography for centuries because it is undetectable without knowing to look for it. In security contexts, similar first-letter or positional encodings show up in CTF challenges involving song lyrics, book ciphers, and structured data like DNS records or certificate fields. The real skill being tested is recognizing that a sequence of seemingly unrelated items may carry a secondary meaning in its structure.

Related reading

Want more picoCTF 2019 writeups?

Useful tools for Cryptography

What to try next