Description
What was I last working on? I remember writing a note to help me remember...
Download the challenge zip, unzip it locally, then change into the drop-in directory.
Ensure git is installed so you can inspect the repository history.
wget https://artifacts.picoctf.net/c_titan/68/challenge.zip && \
unzip challenge.zip && \
cd drop-in/Solution
Want to try it yourself first?
The guided walkthrough reveals hints one step at a time.
Step 1
List commit historyObservationI noticed the challenge description said 'I remember writing a note to help me remember,' and the downloaded artifact was a git repository, which suggested the note was stored in a commit message and that git log would reveal the flag in the history.git log walks the history newest-first. Each entry has a hash, author, date, and the full commit message; scan the messages for one containing picoCTF{...}.bashgit logOutput looks like this:commit 9f3a... (HEAD -> master) Author: ... Date: ... fix typo commit 5b2c... Author: ... Date: ... picoCTF{t1m3m@ch1n3_b476...}What didn't work first
Tried: Run git diff or git show to look at file changes instead of commit messages.
git diff and git show display changes to file contents between commits, not the text of commit messages themselves. The flag in this challenge was embedded in a commit message, so inspecting file diffs returns nothing useful. git log is the correct command because it prints the full message body for every commit.
Tried: Search for the flag inside files using grep -r 'picoCTF' after unzipping.
grep -r scans only the working tree - the files currently on disk. The flag was never written to a tracked file; it exists only in a historical commit message stored in the .git/objects directory. grep cannot read git object storage, so the search returns zero results even though the flag is present in the repository.
Learn more
git log displays the commit history of a repository in reverse chronological order (newest first). Each entry shows the commit hash, author, date, and the full commit message. In this challenge the flag was accidentally included in a commit message, a surprisingly common real-world mistake.
Accidental secret exposure in git history is a significant security risk in production codebases. Even if a later commit removes the secret from the files, the original commit stays in history. Truly removing it requires a history rewrite with
git filter-repoor BFG Repo Cleaner, followed by a force-push.git log --allincludes commits on all branches, not just the current one.git log --grep="picoCTF"filters commits whose messages match a pattern; useful in repos with many commits.- GitHub's secret scanning feature automatically flags common patterns (API keys, tokens) pushed to repos, but it cannot alert you to secrets already in history before the feature was enabled.
Step 2
Read the flagObservationI noticed that git log output showed a commit message containing the picoCTF{ pattern, which confirmed the flag was embedded there and simply needed to be copied out in full.Copy the full commit message that begins with picoCTF{ and ends with }. Verify both braces are present before submitting.Learn more
Finding secrets in git history is a recognized attack vector in red-team and penetration testing engagements. Tools like truffleHog, gitleaks, and git-secrets automate the process of scanning repositories for high-entropy strings and known secret patterns across the entire commit graph.
This challenge only needs
git log; the commit is reachable fromHEAD. In more complex scenarios secrets can also live ingit stashentries, deleted branches (accessible viagit reflog), or orphaned commits that were never merged, all of which retain data even after the working tree looks clean.For defenders, the lesson is: treat your git history as public the moment any commit touches a remote. Use pre-commit hooks (e.g.,
detect-secrets) to block secrets from being committed in the first place, and rotate any credential that has ever appeared in a commit message or diff.
Flag
Reveal flag
picoCTF{t1m3m@ch1n3_b476...}