Writeup in progress
Currently making the solution for Weird Fileand the walkthrough will be published here as soon as it's ready.
Check back soon - or follow our latest updates on the homepage- to be notified when the full writeup goes live.
Weird File
Published: April 2, 2026
Want more picoCTF 2021 writeups?
Useful tools for Forensics
- Hex ViewerView text or raw hex bytes as a xxd-style hex dump with byte offset, hex columns, and ASCII sidebar. Highlights printable characters and null bytes.
- Checksum CalculatorCompute CRC32, SHA-1, SHA-256, SHA-384, and SHA-512 hashes for text or uploaded files. Verify against known hashes.
- Base64 & Base32 DecoderDecode Base64 and Base32 strings with auto-detection. Multi-layer mode unwraps nested encodings automatically.
- Hash IdentifierIdentify unknown hash types by length and prefix. Covers MD5, SHA-1, SHA-256, SHA-512, bcrypt, NTLM, and more.
Related reading
- Wireshark and pcap Analysis for CTF ForensicsA hands-on guide to analyzing network packet captures (pcap files) in CTF competitions using Wireshark and tshark: following TCP streams, finding credentials, extracting files, and applying display filters.
- How to Read and Analyze Hex DumpsLearn to read and analyze hex dumps for CTF challenges -- understanding the xxd format, spotting magic bytes, finding hidden strings, and using hex editors to inspect binary files.
What to try next
- ForensicsMedium
DISKO 4
Use sleuthkit's fls -r -d to list deleted files in the disk image, then recover the flag file's contents with icat using the deleted inode number.
- ForensicsMedium
Forensics Git 0
Mount the disk image with mmls to find the partition offset, then search the git repository exhaustively: commit patches, stash, tags, notes, reflog, and dangling objects via git fsck --lost-found.
- ForensicsMedium
Forensics Git 1
Mount the disk image with mmls, copy the git repo, and search all eight hiding spots: git log --all -p, branches, stash, tags, notes, reflog, fsck --unreachable, and lost-found blobs.
- ForensicsMedium
Forensics Git 2
Four-phase recovery: raw strings search, then mmls + mount, then git fsck/lost-found, then TSK icat for deleted inodes. The deletion routine was interrupted, leaving git objects partially intact.
- ForensicsMedium
Rogue Tower
A suspicious cell tower lurks in captured network traffic. Analyze the PCAP to identify the rogue tower, the compromised device, and recover the exfiltrated flag.