Nothing Up My Sleeve picoCTF 2020 Mini-Competition Solution

Published: April 2, 2026

Description

This challenge promises that nothing is hidden: the flag is 'in-the-clear.' Your only task is to retrieve the file from the challenge server and read it.

Download the file from the challenge page.

bash
wget <challenge_url>/nothing_up_my_sleeve

Solution

Want to try it yourself first?

The guided walkthrough reveals hints one step at a time.

Walk me through it
  1. Step 1
    Download and read the file
    Observation
    The challenge description explicitly stated the flag is 'in-the-clear,' which meant no encoding or obfuscation was involved and suggested that simply downloading the file and printing it with cat would be sufficient.
    Use wget (or curl) to download the file from the URL provided on the challenge page, then print its contents with cat. The flag is stored as plain ASCII text with no encoding, encryption, or steganography.
    bash
    wget <challenge_url>/nothing_up_my_sleeve
    bash
    cat nothing_up_my_sleeve
    What didn't work first

    Tried: Run 'strings nothing_up_my_sleeve' expecting to extract hidden text from a binary.

    The file is plain ASCII, so strings produces the same output as cat - but the real trap is assuming the file is binary in the first place. The challenge description says the flag is in-the-clear, meaning cat is sufficient and no extraction tool is needed.

    Tried: Open the downloaded file in a hex editor looking for encoded or obfuscated content.

    A hex editor shows raw bytes, which for a plain ASCII file just mirrors what cat already displayed. Nothing is encoded or hidden in the byte stream. The title 'nothing up my sleeve' is literal - there is no steganography, encoding, or obfuscation to reverse.

    Learn more

    The challenge title is a reference to the cryptographic concept of "nothing-up-my-sleeve numbers" - constants chosen in a transparent way to assure users that no hidden backdoors or biases were built in. Here it is used literally: there is genuinely nothing hidden. The flag is sitting in the file as readable text.

    wget downloads a file from a URL and saves it to disk. curl -O is an equivalent alternative. After saving, cat prints the file contents to the terminal. These two commands are the entire solution.

    This style of challenge is sometimes called a "sanity check" - it verifies that you can connect to the challenge server and run basic command-line tools, rather than testing a specific vulnerability class.

Interactive tools
  • Cipher Identifier & Auto-DecoderPaste any ciphertext and the tool auto-runs every common decoder (base64, hex, Morse, ROT, Atbash, Bacon, binary, decimal, URL) and ranks the results by English-likeness.
  • Frequency AnalysisAnalyze letter frequencies in a substitution cipher and interactively build the decryption mapping with auto-filled guesses.

Flag

Reveal flag

picoCTF{...}

The flag is stored in plaintext in the downloaded file - no decoding or extra tools required.

Key takeaway

Plaintext files served over HTTP expose their full contents to anyone who can reach the URL, with no authentication or encryption protecting them. wget and curl are the standard tools for fetching remote files from the command line, and cat prints any text file directly to the terminal. In CTFs and real audits alike, the first step is always to check whether data is protected at all before assuming a complex vulnerability is needed.

Related reading

Want more picoCTF 2020 Mini-Competition writeups?

Useful tools for General Skills

What to try next