Description
Do you know how to move between different directories and read files in the shell? SSH into the instance to retrieve a 3-part flag.
Setup
SSH into the provided instance using the credentials given on the challenge page.
ssh <user>@<host> -p <PORT>Solution
Want to try it yourself first?
The guided walkthrough reveals hints one step at a time.
Step 1
Read part 1ObservationI noticed that the challenge description said the flag is split into three parts retrieved over SSH, and that SSH sessions start in the home directory, which suggested checking for a flag file there immediately after login.After logging in, part 1 of the flag is in your home directory. The file also tells you where to find part 2.bashcat 1of3.flag.txtWhat didn't work first
Tried: Running 'ls' without arguments and not seeing the file, then assuming it is hidden and trying 'ls -a' to look for a dotfile like '.flag.txt'
The file is named '1of3.flag.txt', not a dotfile, so it does appear in a plain 'ls'. The confusion arises because CTF challenges sometimes hide files with a leading dot. Here the filename is fully visible - 'cat 1of3.flag.txt' works immediately without any hidden-file tricks.
Tried: Using 'find . -name flag.txt' to locate the flag file instead of reading 1of3.flag.txt directly
The find command returns no results because the file is named '1of3.flag.txt', not 'flag.txt'. The partial name search would need 'find . -name "*flag*"' to match, and even then it only finds part 1 - the path hints inside each file are the intended navigation mechanism, not filesystem search.
Learn more
SSH (Secure Shell) is a cryptographic network protocol that provides secure remote access to a machine over an unsecured network. When you log in via SSH, your shell session starts in your home directory - typically
/home/usernameon Linux systems. Files placed in the home directory are immediately accessible without any path prefix.The
catcommand (short for "concatenate") reads a file and prints its contents to standard output. It's the most direct way to view the contents of small text files in a terminal. The convention of hiding hints inside the files themselves is common in CTFs - each clue leads you to the next location.Step 2
Read part 2ObservationI noticed that the content of 1of3.flag.txt included a path hint pointing to the root of the filesystem, which suggested navigating to / and reading 2of3.flag.txt using an absolute path.Part 2 is located at the root of the filesystem. Navigate there and read it.bashcat /2of3.flag.txtWhat didn't work first
Tried: Running 'cd /' then 'cat 2of3.flag.txt' as a two-step sequence instead of using the absolute path directly
Changing directory to / first works, but it is unnecessary - 'cat /2of3.flag.txt' uses an absolute path and reads the file from any working directory. The two-step approach also leaves your shell in / for subsequent commands, which can cause confusion when the next clue sends you back to ~.
Tried: Looking for the file under /home or /root instead of directly at / because files directly in the root directory are unusual
On a real system, storing data files at / is atypical, but the challenge deliberately places 2of3.flag.txt there to teach that the root directory is just another location in the filesystem. Running 'ls /' reveals the file alongside the standard top-level directories like /bin, /etc, and /home.
Learn more
The root directory (
/) is the top of the Linux filesystem hierarchy - every file and directory on the system lives somewhere under/. Unlike Windows, which has separate drive letters likeC:\, Linux uses a single unified tree. The/prefix in a path makes it absolute, meaning it starts from the root regardless of your current working directory.Common top-level directories include
/home(user home directories),/etc(system configuration),/binand/usr/bin(executables), and/tmp(temporary files). Files placed directly at/are unusual outside of CTF challenges.Step 3
Read part 3ObservationI noticed that 2of3.flag.txt contained a hint directing back to the home directory, and that the shell may have drifted to / during the previous step, which suggested using the ~ shorthand to read 3of3.flag.txt without needing an explicit cd.Part 3 is back in your home directory (~). Read it and assemble all three parts into the full flag.bashcat ~/3of3.flag.txtWhat didn't work first
Tried: Using 'cat 3of3.flag.txt' as a relative path after navigating to / in the previous step, expecting it to work from the current directory
If your shell is still sitting at / from exploring part 2, a bare relative path like '3of3.flag.txt' resolves to /3of3.flag.txt which does not exist. The file is in the home directory, so you need the absolute-style shorthand 'cat ~/3of3.flag.txt' or must first run 'cd ~' to return home before using a relative path.
Tried: Trying to concatenate all three files at once with 'cat 1of3.flag.txt 2of3.flag.txt ~/3of3.flag.txt' from the home directory to get all parts in one shot
The middle file lives at /2of3.flag.txt (root of the filesystem), so the bare path '2of3.flag.txt' resolves relative to your current directory and produces a 'No such file or directory' error. You need to use the absolute path: 'cat ~/1of3.flag.txt /2of3.flag.txt ~/3of3.flag.txt'.
Learn more
The tilde (
~) is a shell shorthand that expands to the current user's home directory path. For example, if your username isctfplayer, then~/3of3.flag.txtexpands to/home/ctfplayer/3of3.flag.txt. This shorthand works in any bash or zsh shell and is faster than typing the full absolute path.The challenge deliberately scatters the flag across three different locations - home directory, root (
/), and back to home - to teach the fundamental skill of navigating a Linux filesystem. Understanding absolute paths (starting with/), relative paths (relative to current directory), and the~shorthand are all essential daily tools for any developer or security researcher working on Linux.Other useful navigation commands:
pwd- print working directory (shows where you currently are)ls -la- list all files including hidden ones with detailscd -- jump back to the previous directoryfind / -name "*.txt"- search the entire filesystem for .txt files
Flag
Reveal flag
picoCTF{xxsh_0ut_0f_\/\/4t3r_...}
The three flag files are split across different directory locations; each file tells you where to find the next one.