Big Zip picoGym Exclusive Solution

Published: March 5, 2024

Description

Unzip this archive and find the flag.

Download the provided archive and unzip it somewhere you can recurse through easily.

Keep a terminal ready with grep/awk so you can interrogate thousands of files quickly.

bash
wget https://artifacts.picoctf.net/c/503/big-zip-files.zip && \
unzip big-zip-files.zip && \
rm big-zip-files.zip

Solution

Want to try it yourself first?

The guided walkthrough reveals hints one step at a time.

Walk me through it
  1. Step 1
    Fan out with grep
    Observation
    I noticed the archive contained thousands of files across deeply nested subdirectories, which made manual inspection hopeless, but the flag always starts with the literal string 'picoCTF{', suggesting a single recursive content search would locate it immediately.
    Recursively search for the picoCTF prefix; the archive is too large to inspect manually, but grep cuts straight to the hits.
    bash
    grep -R pico

    Expected output

    big-zip-files/files/s/e/archiver/s2/d3/3/z7/c/e9/b/archiver.txt:./files/s2/d3/3/z7/c/e9/b/archiver.txt:picoCTF{gr3p_15_m4g1c_ef87...}
    Pipe the results into other text utilities if you want to isolate the final word on each line.
    What didn't work first

    Tried: Run 'grep pico' without the -R flag, pointing it at the top-level directory name.

    Without -R (or -r), grep treats its argument as a single file rather than a directory tree. It returns 'Is a directory' or silently produces no output, depending on the version. The flag adds the recursive descent that makes grep visit every file in every subdirectory automatically.

    Tried: Use 'find . -name "*flag*"' to locate the file by name instead of by content.

    The archive deliberately gives files generic names like archiver.txt with no reference to 'flag' anywhere in the path. A filename search returns nothing useful. Content-based search with grep is required because the flag string is only inside the file, not in its name.

    Learn more

    grep (Global Regular Expression Print) is a Unix command-line tool that searches file contents for lines matching a pattern. The -R flag makes it recurse through every file in a directory tree, which is the key capability here - instead of opening thousands of files by hand, a single command scans all of them simultaneously.

    When dealing with archives containing a very large number of files, manual inspection is impractical. Recursive grep is the standard approach: it reads every file in the tree and prints only the lines (and filenames) that match. The pattern pico is intentionally broad - it catches the picoCTF{ prefix no matter which subdirectory or filename the flag is hiding in.

    This skill applies directly to real-world security investigations: incident responders use recursive search tools to find indicators of compromise (malicious strings, backdoor signatures, hardcoded credentials) across thousands of files on a compromised system. Learning to combine grep with other tools in a pipeline is one of the most transferable skills in the field.

  2. Step 2
    Trim the noise
    Observation
    I noticed the raw grep output included full file paths and surrounding text alongside the flag token, which made it hard to read and would make automated extraction unreliable, suggesting I should pipe the output through a regex or text tool to isolate exactly the picoCTF{...} portion.
    Every hit prints a full path plus surrounding text. Use additional tools to strip away the file path and metadata so the raw flag remains.
    bash
    grep -R pico | grep -oE 'picoCTF\{.*\}' --color=none
    bash
    grep -R pico | sed 's/.* //g'

    Expected output

    picoCTF{gr3p_15_m4g1c_ef87...}
    What didn't work first

    Tried: Use 'grep -R pico -l' to get just the filename, then cat that file and visually locate the flag.

    The -l flag lists only filenames, which does narrow the search to one file. However, the matching line inside that file still contains the full path prefix and surrounding text, so the flag is buried in noise. Piping directly with -oE and a regex extracts only the token in one step without the manual inspection.

    Tried: Try 'grep -R pico | awk "{print $NF}"' to grab the last whitespace-delimited field.

    The output line format is 'filename:path:flagtoken', so the colon is the actual delimiter, not whitespace. awk's default field splitter produces a single field containing the entire line. Using sed 's/.* //g' works because the path and flag are separated by a space in the grep output, while awk without -F ':' splits on the wrong boundary.

    Learn more

    When grep finds a match inside a file, it outputs the filename followed by a colon and the entire matching line. In a large archive the noise can make the actual flag hard to read. The -o flag tells grep to print only the matching portion of each line, and -E enables extended regex so you can write patterns like picoCTF\{.*\} to isolate precisely the token you need.

    sed (Stream EDitor) is a Unix tool for transforming text. The substitution s/.* //g replaces everything up to and including the last space on each line with nothing - a quick way to strip a path prefix. Both approaches demonstrate the Unix philosophy: each tool does one thing, and they compose naturally through pipes.

    Regex fluency is essential for text extraction in CTF challenges and professional security work alike. Patterns like picoCTF\{.*\} are simple examples of the same greedy extraction patterns used to pull sensitive data (tokens, passwords, API keys) from log files, memory dumps, and network captures during real investigations.

  3. Step 3
    Record the flag
    Observation
    I noticed the extracted token was already in the standard picoCTF{...} format with no additional encoding or transformation applied, which confirmed that copying it directly was the final step.
    Once only the picoCTF token remains, copy it out and you are done; no further decoding is necessary.
    Learn more

    In many CTF challenges the flag is encoded, encrypted, or otherwise transformed. In this case, however, the flag is stored as plain text inside one of the archive's files - the only challenge is locating it among thousands of candidates. The fact that no decoding is required is itself an important lesson: always determine first whether data is encoded before spending time trying to reverse a transformation that was never applied.

    The broader skill being reinforced here is efficient file-system search. In professional contexts - malware triage, log analysis, code review - the ability to quickly locate a specific string across a large corpus separates experienced practitioners from novices. Tools like grep, ripgrep (rg), and ack are all worth adding to your toolkit, each with different performance and feature tradeoffs.

Interactive tools
  • File Magic IdentifierIdentify file types from magic numbers. Paste hex bytes or drop a file to detect PNG, JPEG, ZIP, PDF, ELF, PCAP, SQLite, and dozens of other formats.
  • Hex ViewerView text or raw hex bytes as a xxd-style hex dump with byte offset, hex columns, and ASCII sidebar. Highlights printable characters and null bytes.
  • Strings ExtractorPull printable text from any binary, library, or image. ASCII and UTF-16 detection, configurable minimum length, flag-like highlight, no command line needed.

Flag

Reveal flag

picoCTF{gr3p_15_m4g1c_ef87...}

Any recursive grep that isolates the final token reveals the exact flag as stored inside the archive.

Key takeaway

When a flag is hidden as plaintext among thousands of files, recursive content search with grep -R finds it in one command instead of opening files by hand, and grep -oE with a regex isolates just the token from the surrounding path noise. Always check first whether data is even encoded before trying to reverse a transformation that was never applied. The same recursive-search reflex underlies real incident response, where grep, ripgrep, and ack locate indicators of compromise across a whole filesystem.

Related reading

Want more picoGym Exclusive writeups?

Useful tools for General Skills

What to try next