useless picoCTF 2023 Solution

Published: April 26, 2023

Description

The "useless" workstation exposes SSH access plus a suspicious calculator script. Somewhere inside its documentation hides the flag.

SSH into saturn.picoctf.net on port 64713 with the provided credentials.

List the home directory, execute ./useless, and read both the script and its man page.

bash
ssh picoplayer@saturn.picoctf.net -p 64713
bash
password
bash
ls && ./useless
bash
man useless

Solution

Want to try it yourself first?

The guided walkthrough reveals hints one step at a time.

Walk me through it
  1. Step 1
    Inspect the script
    Observation
    I noticed that running ./useless without arguments immediately printed a message telling me to 'Read the code first,' which suggested the script itself was transparent and worth examining before attempting any other approach.
    Running the script without proper arguments prompts you to "Read the code first." View the bash source to learn it performs basic math operations.
    bash
    less useless
    What didn't work first

    Tried: Running ./useless with math arguments like ./useless 2 + 3 to trigger hidden behavior or expose the flag.

    The script just prints a numeric result and exits normally. No hidden flag branch exists inside the arithmetic logic. The flag is not reachable through any combination of arguments; it lives in the man page documentation, not in the script's runtime output.

    Tried: Using strings useless to look for the flag embedded in the script binary.

    The useless file is a plain bash script, not a compiled binary, so strings reports the entire file as readable text anyway. Nothing is hidden inside the file itself - the challenge intentionally puts the flag in a separate man page. Reading the script source with less reveals only the math logic, not the flag.

    Learn more

    Shell scripts are plain-text files containing sequences of shell commands. Unlike compiled binaries, their source code is always readable with less or any text editor; there is no compilation step to reverse. This transparency is both a feature (easy to audit) and a limitation (no obfuscation possible without an external binary).

    Bash scripts often use a shebang line at the top (#!/bin/bash) to specify the interpreter. The script's error message telling you to "Read the code first" is a metacommentary; the challenge is literally teaching you that reading source code is the right debugging approach. In CTF terms, source code review (white-box testing) is always preferable to black-box guessing when the source is available. For broader Linux command-line workflow tips, see Linux CLI for CTF.

  2. Step 2
    Read the manual
    Observation
    I noticed the script source contained only arithmetic logic with no hidden flag branch, and the setup already prompted me to run 'man useless', which suggested the flag was embedded somewhere in the custom man page documentation rather than in the script itself.
    Find the actual man page path with man -w useless, then run man useless and jump to the bottom. The flag is stashed at the end of the page.
    bash
    man -w useless
    bash
    man useless

    Expected output

    /usr/local/share/man/man1/useless.1.gz
    What didn't work first

    Tried: Grepping the raw script file for picoCTF with grep picoCTF useless instead of reading the man page.

    The flag is stored inside the gzipped man page at /usr/local/share/man/man1/useless.1.gz, not in the useless script itself. grep on the script file returns no matches. The correct approach is to run man useless and scroll to the bottom, or use zcat $(man -w useless) | grep picoCTF to search the decompressed man page source.

    Tried: Scrolling through the man page with the arrow keys from the top instead of jumping directly to the end.

    Man pages open in less, which paginates long documents. Using arrow keys from the beginning on a multi-page man page is slow and easy to miss a short flag line. Pressing G inside less jumps immediately to the last line where the flag is placed, and /picoCTF searches forward to it directly without manual scrolling.

    Learn more

    man pages are the traditional documentation system for Unix/Linux programs. Every standard command has a man page accessible via man <command>. Man pages are written in troff/groff markup and displayed through a pager (usually less). They are organized into sections: 1 (user commands), 2 (system calls), 3 (library functions), 5 (file formats), 8 (system administration), and so on.

    man -w useless prints the actual filesystem path of the man page (often something like /usr/local/share/man/man1/useless.1.gz). Knowing the path lets you grep the raw troff source directly with zcat $(man -w useless) | grep picoCTF if you would rather not scroll.

    Custom programs can install their own man pages in /usr/local/share/man/ or /usr/share/man/. This challenge placed a man page for the useless script there, mimicking how real software is documented. The flag hidden at the bottom of the man page teaches you to always read documentation thoroughly; important context, warnings, or in this case flags, are often at the end.

    Navigating man pages. Man pages open in less by default. Key navigation:

    • Space or f: scroll forward one page
    • b: scroll backward one page
    • G: jump to the end (where the flag is)
    • g: jump to the beginning
    • /pattern: search for a pattern (e.g. /picoCTF)
    • q: quit

    Real-world significance. Hiding data inside documentation is obfuscation, not real steganography; anyone reading the docs end-to-end will see it. In real penetration testing, reading all available documentation, comments, and metadata of a target system is called information gathering or reconnaissance; you never know what useful details (API keys, internal URLs, debug flags) might be left in plain sight inside docs and comments.

Flag

Reveal flag

picoCTF{us3l3s...it3d_4373}

No exploitation is required; just follow the hints inside the tool's documentation.

Key takeaway

Unix man pages are a first-class documentation channel and a real information-gathering surface. Sensitive details including credentials, internal paths, debug flags, and in this challenge the flag itself can be embedded anywhere in documentation that developers assume nobody reads end-to-end. The habit of reading all available docs, comments, and metadata before resorting to active exploitation is foundational to both CTF success and real-world reconnaissance.

Related reading

Want more picoCTF 2023 writeups?

Useful tools for General Skills

What to try next