MY GIT | picoCTF 2026 Solutions

Description

I have built my own Git server with my own rules!

Setup

Launch the challenge instance and note the Git server URL and port.

You'll need git installed locally.

Solution

Step 1Clone the repository
Clone the custom Git server's repository and enter the directory.
git clone http://<HOST>:<PORT_FROM_INSTANCE>/repo.git
cd repo
Step 2List all remote refs
Use git ls-remote to enumerate every ref the server exposes — including custom namespaces that are hidden from normal clone.
git ls-remote origin
Step 3Fetch custom namespaces
The server hides the flag inside non-standard ref namespaces. Fetch each one explicitly: refs/hidden/*, refs/secret/*, and refs/flag/*.
git fetch origin 'refs/hidden/*:refs/hidden/*'
git fetch origin 'refs/secret/*:refs/secret/*'
git fetch origin 'refs/flag/*:refs/flag/*'
git for-each-ref --format='%(refname) %(objectname)' | head -40
Step 4Enumerate all branches and tags
Check every branch and tag for flag content in commit messages, file contents, and diffs.
git branch -a
git tag -l
git log --all --oneline
git log --all -p | grep -A2 picoCTF
Step 5Check stash, notes, reflog, and dangling objects
Look in git stash, notes, reflog, and dangling (unreachable) objects for any hidden content.
git stash list
git notes list
git reflog
git fsck --unreachable 2>&1 | grep blob
git fsck --lost-found
ls .git/lost-found/other/
cat .git/lost-found/other/<hash>
Step 6Inspect .git/config and working directory
Check the git config for unusual settings and scan all working directory files for the flag.
cat .git/config
find . -type f | xargs grep -l picoCTF 2>/dev/null

Flag

picoCTF{g1t_...}

The flag is hidden in a non-standard git ref namespace (refs/hidden/*, refs/secret/*, or refs/flag/*) on the custom Git server. Use git fetch with explicit refspecs and git for-each-ref to enumerate all refs.