picoCTF Solutions
picoCTF 2026General SkillsEasy

Piece by Piece picoCTF 2026 Solution

Published: March 20, 2026

Description

After logging in, you will find multiple file parts in your home directory. These parts need to be combined and extracted to reveal the flag.

Setup

Launch the challenge instance and SSH in.

List files in the home directory to see the split archive parts.

bash
ls -la
bash
file *

Solution

Walk me through it
  1. Step 1SSH in and list the file parts
    Log into the challenge instance via SSH. Your home directory contains multiple numbered split-archive parts (e.g. file.zip.001, file.zip.002, ... or file.aa, file.ab, ...).
    bash
    ssh ctf-player@<HOST> -p <PORT_FROM_INSTANCE>
    bash
    ls -la
    bash
    file *
    Learn more

    Split archives are a technique for dividing large files into smaller chunks for transfer over media with size limits, email attachments, or slow connections. The original file is split into numbered parts that must be reassembled in order before extraction. Common formats include .zip.001/.zip.002 (WinZip split), .part1.rar/.part2.rar (WinRAR split), or alphabetical suffixes from the Unix split command (file.aa, file.ab, ...).

    The file command reads a file's magic bytes (the first few bytes of the file) to determine its true type regardless of its extension. This is essential in CTF challenges where files may have misleading names or no extension. For example, a file named data.bin might actually be a ZIP archive (magic bytes PK\x03\x04), a gzip stream (magic bytes \x1f\x8b), or a PNG image (\x89PNG).

    Understanding file magic bytes is a foundational forensics skill. Tools like file, xxd, and binwalk all use magic byte databases to identify file types, and this knowledge lets you choose the correct extraction tool even when extensions are wrong or missing.

  2. Step 2Combine all parts
    Concatenate the parts in deterministic sort order. Always verify the glob expansion before piping into cat - a wrong order produces a corrupt archive that fails to extract.
    bash
    # Always check what the glob expands to first:
    bash
    ls -v *part* *.zip.* *.a? 2>/dev/null
    bash
    # Numbered .zip parts:
    bash
    cat *.zip.* > /tmp/combined.zip
    bash
    # Letter-suffixed (split default):
    bash
    cat *.a? > /tmp/combined.zip
    bash
    # RAR-style multi-part - tighten the glob to exclude unrelated files:
    bash
    cat *part*.rar > /tmp/combined.rar
    bash
    # When you really need natural sort (e.g. part1, part2, ..., part10):
    bash
    cat $(ls -v *part*) > /tmp/combined
    bash
    file /tmp/combined*
    Learn more

    The Unix cat command (concatenate) is the correct tool for reassembling split binary files. Since binary archives have their own internal structure with an end-of-archive marker, simply concatenating the parts in sorted order produces a valid archive that extraction tools can parse. Shell glob expansion (*.zip.*) sorts alphabetically/numerically by default, which is the correct order for numbered parts.

    Sort order matters critically. If parts are concatenated out of order, the resulting file will be corrupt and unextractable. For parts with numeric suffixes, ensure the sort is numeric: 001, 002, 003, ..., 009, 010 rather than 001, 010, 002 (lexicographic order). The glob *.zip.* sorts correctly because the numeric suffix is zero-padded.

    For more complex reassembly scenarios, tools like cat $(ls -v *.part) (using ls -v for natural sort), or explicit cat part1 part2 part3 > combined, give you full control over the concatenation order.

  3. Step 3Extract the archive
    Identify the combined file type with file and extract it with the matching tool. Fall back to binwalk -e only if the standard tools refuse the file (e.g. unzip says 'not a valid archive' but file shows zip-ish magic bytes).
    bash
    file /tmp/combined*
    bash
    cd /tmp && unzip combined.zip
    bash
    # Password-protected ZIP - try a few common ones:
    bash
    unzip -P picoCTF combined.zip
    bash
    # tar/gz/xz/bz2:
    bash
    tar xf combined || gunzip combined.gz || unxz combined.xz
    bash
    # Last resort: scan for embedded archives if the standard tools fail:
    bash
    binwalk -e combined.zip
    Learn more

    Common archive formats and their extraction commands: unzip for ZIP files, tar xf for tar archives (which auto-detects gz/bz2/xz compression), 7z x for 7-Zip archives, unrar x for RAR files, and gunzip/bunzip2/unxz for single-stream compressed files.

    Password-protected archives are common in CTF challenges. Standard passwords to try include picoCTF, password, flag, the challenge name, and variations. If those fail, tools like john with zip2john/rar2john or hashcat can crack the password. ZIP encryption (ZipCrypto) is particularly weak and can be cracked even without a password if you know the contents of one file in the archive (known-plaintext attack).

    For layered archives (a tar inside a zip inside a gz), you may need to run multiple extraction steps. binwalk -e can automatically extract nested archives - it scans for file signatures within files and extracts everything it finds.

  4. Step 4Read the flag
    Catalogue everything that came out before grepping. The flag may be in the filename, in binary data, or in a file that doesn't have a .txt extension.
    bash
    ls /tmp/
    bash
    # First triage what you got - types and any hints in filenames:
    bash
    file /tmp/*
    bash
    ls /tmp/ | grep -iE 'flag|pico'
    bash
    # Search across both text and binary:
    bash
    strings /tmp/* 2>/dev/null | grep -E 'picoCTF\{[^}]+\}'
    bash
    # As a fallback, the bare grep across all extracted files:
    bash
    grep -roa 'picoCTF{[^}]*}' /tmp/ 2>/dev/null
    Learn more

    After extraction, the flag is typically in a file named flag.txt, flag, or a similarly obvious name, but not always. Run file * over the extracted set first - a binary or an image among the outputs is a strong hint that the flag is embedded somewhere non-obvious. strings * | grep picoCTF handles binary data; if even that fails, walk the files with xxd and look for fragmented or encoded flags.

    CTF flags sometimes appear in unexpected places: as the filename itself, embedded in an image (check with strings), inside binary data (check with xxd | grep -a pico), or hidden behind one more decoding step (base64, hex, ROT13). For more on hex-level inspection see Hex dumps for CTF; for the general shell toolkit used here see Linux CLI for CTF.

    This challenge teaches a workflow that appears frequently in forensics and incident response: receiving a collection of file fragments, reassembling them, extracting the archive, and searching the contents. The same sequence is used to recover data from split disk dumps, fragmented network transfers, and distributed backups.

Flag

picoCTF{p13c3_by_p13c3_...}

SSH into the server, find the numbered split-archive parts in home directory, combine with `cat *.zip.*`, extract with unzip, and read the flag file.

Want more picoCTF 2026 writeups?

Browse picoCTF 2026Full library

Useful tools for General Skills

Related reading

What to try next