where-is-the-file picoCTF 2019 Solution

Published: April 2, 2026

Description

I think I may have hidden the file in the folder. Can you find it?

Remote

SSH or connect to the provided shell environment where the hidden file resides.

Solution

Want to try it yourself first?

The guided walkthrough reveals hints one step at a time.

Walk me through it
  1. Step 1
    List all files including hidden ones
    Observation
    I noticed the challenge description said the file was 'hidden in the folder,' which suggested it might be a dotfile that ls omits by default, pointing directly to using ls -a to reveal names beginning with a period.
    Files whose names begin with a dot are hidden from regular ls. The -a flag (all) forces ls to show them. Spot the dotfile and cat it to read the flag.
    bash
    ls -a
    bash
    cat .cant_see_me

    Expected output

    picoCTF{...}
    What didn't work first

    Tried: Running ls without any flags and looking for the file in the visible output

    Plain ls silently omits any filename that starts with a dot, so .cant_see_me never appears in the listing. The file is present on disk the entire time - only the -a (or --all) flag disables the dot-prefix filter and makes it visible.

    Tried: Running cat cant_see_me (without the leading dot) after spotting it with ls -a

    The shell treats the leading dot as part of the filename, not as a path separator. Omitting it causes a 'No such file or directory' error because the shell is looking for a completely different filename. The exact name including the dot must be typed: cat .cant_see_me.

    Learn more

    In Unix and Linux, any file or directory whose name begins with a period (.) is considered a hidden file (also called a dotfile). The convention originates from a quirk in early Unix where the ls command checked if the first character of a filename was . and skipped it if so - this was originally to hide the . (current directory) and .. (parent directory) entries, and the behavior was later extended by convention to any dotfile.

    The ls -a flag (or --all) overrides this filtering and shows every file including hidden ones. The related ls -A (capital A) shows all files except the special . and .. entries, which is usually more useful. Combining flags: ls -la shows all files in long format with permissions, ownership, size, and modification time.

    Dotfiles are used extensively in Linux for configuration:

    • ~/.bashrc, ~/.zshrc - shell configuration
    • ~/.ssh/ - SSH keys and known hosts
    • ~/.gitconfig - git user configuration
    • ~/.env - environment variables (sometimes accidentally committed to git)
    • .htaccess - Apache web server configuration per-directory

    In security contexts, attackers often hide malicious files with dotnames to avoid casual detection. During incident response, checking for unexpected dotfiles in home directories, /tmp, and web server directories is an important step. Tools like find / -name ".*" -type f enumerate all dotfiles system-wide. The lesson: "hidden" files in Unix are only hidden from casual ls use - they are perfectly visible with the right flags.

Interactive tools
  • File Magic IdentifierIdentify file types from magic numbers. Paste hex bytes or drop a file to detect PNG, JPEG, ZIP, PDF, ELF, PCAP, SQLite, and dozens of other formats.
  • Hex ViewerView text or raw hex bytes as a xxd-style hex dump with byte offset, hex columns, and ASCII sidebar. Highlights printable characters and null bytes.
  • Strings ExtractorPull printable text from any binary, library, or image. ASCII and UTF-16 detection, configurable minimum length, flag-like highlight, no command line needed.

Flag

Reveal flag

picoCTF{w3ll_that_d1dnt_w0RK_...}

Per-instance flag. Two different hash suffixes found (cb4a5081 and 30444bc6) confirming per-instance variation. Prefix picoCTF{w3ll_that_d1dnt_w0RK_} is consistent.

Related reading

Want more picoCTF 2019 writeups?

Useful tools for General Skills

What to try next