Tab, Tab, Attack picoCTF 2021 Solution

Published: April 2, 2026

Description

Using tab complete in the terminal will add years to your life, especially when dealing with long file names. Download and extract Addadshashanammu.zip.

Download Addadshashanammu.zip from the challenge page.

bash
wget <url>/Addadshashanammu.zip

Solution

Want to try it yourself first?

The guided walkthrough reveals hints one step at a time.

Walk me through it
  1. Step 1
    Extract the archive
    Observation
    I noticed the downloaded file was named Addadshashanammu.zip with a .zip extension, which meant I needed to use the unzip command to unpack the ZIP container before any contents could be accessed.
    Unzip the archive to reveal the top-level directory.
    bash
    unzip Addadshashanammu.zip
    What didn't work first

    Tried: Using 'tar -xf Addadshashanammu.zip' to extract the archive

    tar will report 'This does not look like a tar archive' because .zip files use a different container format than .tar. The unzip command is required for .zip archives; tar handles .tar, .tar.gz, .tgz, and similar formats but not .zip.

    Tried: Running 'gunzip Addadshashanammu.zip' to decompress the file

    gunzip only handles gzip-compressed files (.gz extension) and will error with 'unknown suffix - ignored' on a .zip file. ZIP combines archiving and compression in its own format, so only unzip (or a compatible tool like 7z) can extract it.

    Learn more

    unzip extracts ZIP archives on Linux and macOS. ZIP is the most common archive format for cross-platform file distribution. Unlike tar.gz (which requires two tools - tar to pack and gzip to compress), ZIP handles both archiving and compression in a single format.

    Before extracting an unknown archive, it's good practice to inspect its contents with unzip -l Addadshashanammu.zip. This lists all files inside without extracting them, preventing "zip bombs" (maliciously crafted archives that expand to enormous sizes) and showing you the directory structure ahead of time.

  2. Step 2
    Navigate using tab completion
    Observation
    I noticed the archive contained 7 levels of nested directories with nearly identical 20-character names, which made manual typing error-prone and suggested using tab completion to autocomplete each directory name uniquely.
    The zip contains 7 levels of nested directories with nearly identical long names. Type the first few letters of each directory name, then press Tab to autocomplete. Keep pressing Tab and Enter to descend until you reach the binary at the deepest level.
    bash
    cd Addadshashanammu/
    What didn't work first

    Tried: Manually typing the full nested directory path in a single 'cd' command without tab completion

    The directory names are 20+ characters long with only minor differences between levels (e.g. 'Addadshashanammu' vs 'Haynekhtnamet'). A single typo causes 'No such file or directory' and the error message does not indicate which segment was wrong. Tab completion avoids this by autocompleting each segment to the unique match before you move on.

    Tried: Using 'ls -R' from the top-level directory to find the binary name and then 'cd' to it in one command

    'ls -R' does list all nested files but the output spans many lines and the relative paths shown cannot be passed directly to 'cd' as a single argument. You still need to navigate level by level; tab completion is the intended shortcut for doing that quickly.

    Learn more

    Tab completion is one of the most productivity-enhancing features of the bash and zsh shells. When you press Tab, the shell attempts to complete the current word based on available files, directories, commands, and (with plugins) command arguments. If there's a unique match, it completes immediately. If there are multiple matches, pressing Tab twice lists all options.

    This challenge deliberately names the nested directories with nearly identical long strings (inspired by a Futurama reference - "Addadshashanammu" is from the show) to make manual typing impractical. With tab completion, you only need to type enough characters to uniquely identify each directory, then press Tab. The shell handles the rest.

    Alternative approaches for navigating deeply nested structures:

    • find . -type f -executable - find all executable files recursively, jumping straight to the binary
    • find . -name "fang*" - search by filename pattern
    • ls -R | grep -v "^$" - recursive listing to see all files at once

    Tab completion also works for commands, not just filenames. Pressing Tab after typing the first few letters of a command completes the command name, which is useful when you can't remember the exact spelling of a tool.

  3. Step 3
    Execute the binary
    Observation
    I noticed a file named fang-of-haynekhtnamet at the deepest directory level with no extension, which indicated it was a native executable that could be run directly to reveal the flag.
    Once you've navigated to the deepest directory, run the binary fang-of-haynekhtnamet to print the flag.
    bash
    ./fang-of-haynekhtnamet

    Expected output

    picoCTF{l3v3l_up!_t4k3_4_r35t!_...}
    Learn more

    The ./ prefix explicitly tells the shell to run the executable in the current directory. On Linux, the current directory is not included in $PATH by default (unlike Windows), so typing just fang-of-haynekhtnamet would result in "command not found." The ./ is a safety feature - it prevents accidentally running a maliciously named file placed in a directory instead of the intended system command.

    Before running any downloaded binary, it's good practice to inspect it: file fang-of-haynekhtnamet tells you the binary format (ELF, PE, etc.) and architecture. strings fang-of-haynekhtnamet shows embedded text. In a CTF context, the challenge is designed to be safe - but in real security work, never blindly execute unknown binaries, even in a VM.

    If the binary isn't executable, chmod +x fang-of-haynekhtnamet grants execute permission. The octal representation is chmod 755 for owner-read/write/execute + group/other-read/execute. File permissions are a fundamental Linux concept that controls who can read, write, or execute each file.

Interactive tools
  • File Magic IdentifierIdentify file types from magic numbers. Paste hex bytes or drop a file to detect PNG, JPEG, ZIP, PDF, ELF, PCAP, SQLite, and dozens of other formats.
  • Hex ViewerView text or raw hex bytes as a xxd-style hex dump with byte offset, hex columns, and ASCII sidebar. Highlights printable characters and null bytes.
  • Strings ExtractorPull printable text from any binary, library, or image. ASCII and UTF-16 detection, configurable minimum length, flag-like highlight, no command line needed.

Flag

Reveal flag

picoCTF{l3v3l_up!_t4k3_4_r35t!_...}

The zip contains 7 levels of nested directories with near-identical long names - tab completion is essential.

Key takeaway

Shell tab completion is a fundamental productivity tool that lets you navigate and operate on files with long or nearly identical names without typing them in full. Beyond convenience, the same principle of recursive filesystem traversal applies in security contexts: find commands, directory traversal vulnerabilities, and path enumeration all depend on understanding how nested directory structures can obscure files from casual inspection. In real engagements, attackers and defenders alike use recursive search tools rather than manual navigation to locate configuration files, credentials, or binaries buried in deep directory trees.

Related reading

Want more picoCTF 2021 writeups?

Useful tools for General Skills

What to try next