speeds and feeds picoCTF 2021 Solution

Published: April 2, 2026

Description

There is something on my network running at mercury.picoctf.net:16524. Connect and figure out what it is.

Remote

Connect to the service and save its output to a file.

Sanity-check the file looks like real G-code before opening a viewer.

bash
nc mercury.picoctf.net 16524 > output.gcode
bash
head output.gcode  # expect lines starting with G0/G1 X.. Y..

Solution

Want to try it yourself first?

The guided walkthrough reveals hints one step at a time.

Walk me through it
  1. Step 1
    Identify the output format
    Observation
    I noticed the server output contained lines beginning with G0 and G1 followed by X and Y coordinates, and the challenge title references 'speeds and feeds', a machinist term, which suggested the data was G-code rather than a cipher or encoded text.
    Open output.gcode in a text editor. You will see lines beginning with G0 and G1 followed by X and Y coordinates. This is G-code - the programming language used to control CNC machines and 3D printers. G0 is a rapid move, G1 is a controlled cut/draw move.
    What didn't work first

    Tried: Trying to decode the output as a cipher - looking for Caesar, Base64, or hex patterns in the coordinate values.

    The X and Y numbers look like arbitrary data, and beginners instinctively reach for CyberChef or frequency analysis. The coordinate values are not encoded text - they are floating-point positions in 2D space. The flag only becomes readable when the full path is rendered visually.

    Tried: Searching online for what 'G0' and 'G1' mean without realizing the entire file is a single format.

    Beginners often look up one command in isolation and get lost in CNC documentation about feed rates and spindle speeds. The key insight is that G0/G1 together define a toolpath - G0 lifts the pen and G1 draws. Understanding the pair, not just one command, is what leads to finding a visualizer.

    Learn more

    G-code (also called RS-274) is a numerical control language developed in the 1950s. It describes toolpaths as sequences of X/Y/Z coordinates and motion commands. G0 is a rapid positional move (pen up equivalent), and G1 is a linear feed move (pen down - actually cutting or drawing). The toolpath traced by G1 moves spells out the flag.

    G-code in the real world: CNC (Computer Numerical Control) machines use G-code to control mills, lathes, plasma cutters, laser cutters, and 3D printers. The same RS-274 standard from the 1950s is still in use today on industrial equipment, though with manufacturer-specific extensions. 3D printer firmware like Marlin and Klipper interpret G-code directly - when you "slice" a 3D model in software like Cura or PrusaSlicer, the output is a .gcode file containing hundreds of thousands of G1 move commands describing the printer's exact path.

    Title hint - "speeds and feeds": In machining, "speeds and feeds" refers to spindle speed (RPM) and feed rate (how fast the cutting tool moves through the material). These are the two primary parameters a machinist controls. The title references this vocabulary to hint that the data is CNC-related without directly saying "G-code." Recognizing domain-specific vocabulary is a useful CTF skill - challenge titles often contain the key clue.

  2. Step 2
    Visualize in NCViewer
    Observation
    I noticed the G-code file defined a continuous toolpath through G0 (rapid move) and G1 (feed move) commands, which suggested the flag was drawn as connected line segments and would only be readable by rendering the path visually in a G-code viewer.
    Go to ncviewer.com in your browser. Paste the contents of output.gcode into the editor. The viewer renders the CNC toolpath graphically - the connected G1 moves trace the flag letters on screen.
    What didn't work first

    Tried: Uploading the file to a generic text or code viewer instead of a G-code specific visualizer.

    Generic viewers just display the raw lines of coordinates, which is no different from opening the file in a text editor. A G-code visualizer is needed because it interprets the X/Y values as positions and draws the connecting lines between them, turning the coordinate stream into recognizable letter shapes.

    Tried: Writing a script to extract just the numeric values from the G-code lines and searching them for ASCII character codes.

    The coordinates are not ASCII values or any other encoded character format - they are real spatial positions. Plotting them arithmetically as numbers yields nothing useful. The correct approach is to render the path as connected line segments, which a G-code viewer does automatically.

    Learn more

    NCViewer (ncviewer.com) is a free online G-code visualizer. It renders toolpaths as lines on a 2D canvas, making it trivial to read any text or shapes drawn by the machine. NCViewer supports standard RS-274 commands - G0 (rapid), G1 (linear feed), G2 (clockwise arc), and G3 (counterclockwise arc) - which is what this challenge uses. Machine-specific extensions like G38 (probing) will not render; if the file uses those, switch to a fuller-featured viewer.

    Coordinate units. NCViewer auto-scales the path to fit, so the output should always be visible. If the rendered path looks tiny or absurdly huge, switch the unit setting in NCViewer (mm vs inches) - some servers emit metric, others imperial.

    Output integrity. If head output.gcode shows non-G-code text or the file is empty, the connection dropped before the server finished. Reconnect and redirect again before opening the viewer.

    This challenge demonstrates that data encoding does not have to involve traditional ciphers - any format that encodes information visually or spatially can be used to hide a flag. Recognizing the format (G-code vs. coordinates vs. vectors) is the key first step.

    Offline alternatives: CAMotics (full CNC simulator), the GCode Viewer extension for VS Code, or a 30-line Python script using matplotlib to plot consecutive G1 X/Y points - all render locally without depending on a website.

Interactive tools
  • Strings ExtractorPull printable text from any binary, library, or image. ASCII and UTF-16 detection, configurable minimum length, flag-like highlight, no command line needed.

Flag

Reveal flag

picoCTF{num3r1cal_c0ntr0l_...}

G-code describes CNC toolpaths in X/Y coordinates - visualizing them in a viewer reveals the flag drawn as a connected path.

Key takeaway

Data can be encoded in any domain-specific format, not just ciphers or binary structures. G-code encodes spatial information as sequences of coordinates, and the same principle applies to SVG paths, PostScript, and other vector formats where a renderer is needed to interpret the data visually. Recognizing the format from context clues (vocabulary in the challenge title, structure of the output) is the first and most important step in any unusual encoding challenge.

Related reading

Want more picoCTF 2021 writeups?

Tools used in this challenge

What to try next