Description
Unzip this archive and find the flag.
Download the provided archive and unzip it somewhere you can recurse through easily.
Keep a terminal ready with grep/awk so you can interrogate thousands of files quickly.
wget https://artifacts.picoctf.net/c/503/big-zip-files.zip && \
unzip big-zip-files.zip && \
rm big-zip-files.zipSolution
- Step 1Fan out with grepRecursively search for the picoCTF prefix; the archive is too large to inspect manually, but grep cuts straight to the hits.
grep -R picoPipe the results into other text utilities if you want to isolate the final word on each line.Learn more
grep (Global Regular Expression Print) is a Unix command-line tool that searches file contents for lines matching a pattern. The
-Rflag makes it recurse through every file in a directory tree, which is the key capability here - instead of opening thousands of files by hand, a single command scans all of them simultaneously.When dealing with archives containing a very large number of files, manual inspection is impractical. Recursive grep is the standard approach: it reads every file in the tree and prints only the lines (and filenames) that match. The pattern
picois intentionally broad - it catches thepicoCTF{prefix no matter which subdirectory or filename the flag is hiding in.This skill applies directly to real-world security investigations: incident responders use recursive search tools to find indicators of compromise (malicious strings, backdoor signatures, hardcoded credentials) across thousands of files on a compromised system. Learning to combine grep with other tools in a pipeline is one of the most transferable skills in the field.
- Step 2Trim the noiseEvery hit prints a full path plus surrounding text. Use additional tools to strip away the file path and metadata so the raw flag remains.
grep -R pico | grep -oE 'picoCTF\{.*\}' --color=nonegrep -R pico | sed 's/.* //g'Learn more
When grep finds a match inside a file, it outputs the filename followed by a colon and the entire matching line. In a large archive the noise can make the actual flag hard to read. The
-oflag tells grep to print only the matching portion of each line, and-Eenables extended regex so you can write patterns likepicoCTF\{.*\}to isolate precisely the token you need.sed (Stream EDitor) is a Unix tool for transforming text. The substitution
s/.* //greplaces everything up to and including the last space on each line with nothing - a quick way to strip a path prefix. Both approaches demonstrate the Unix philosophy: each tool does one thing, and they compose naturally through pipes.Regex fluency is essential for text extraction in CTF challenges and professional security work alike. Patterns like
picoCTF\{.*\}are simple examples of the same greedy extraction patterns used to pull sensitive data (tokens, passwords, API keys) from log files, memory dumps, and network captures during real investigations. - Step 3Record the flagOnce only the picoCTF token remains, copy it out and you are done; no further decoding is necessary.
Learn more
In many CTF challenges the flag is encoded, encrypted, or otherwise transformed. In this case, however, the flag is stored as plain text inside one of the archive's files - the only challenge is locating it among thousands of candidates. The fact that no decoding is required is itself an important lesson: always determine first whether data is encoded before spending time trying to reverse a transformation that was never applied.
The broader skill being reinforced here is efficient file-system search. In professional contexts - malware triage, log analysis, code review - the ability to quickly locate a specific string across a large corpus separates experienced practitioners from novices. Tools like
grep,ripgrep(rg), andackare all worth adding to your toolkit, each with different performance and feature tradeoffs.
Flag
picoCTF{gr3p_15_m4g1c_ef87...}
Any recursive grep that isolates the final token reveals the exact flag as stored inside the archive.