picoCTF Solutions
picoMini by CMU-AfricaGeneral SkillsEasy

Log Hunt

Published: April 2, 2026

Description

A server log file has a flag fragmented across multiple lines. Find and reassemble the pieces.

Setup

Download the log file from the challenge page.

Solution

  1. Step 1Search for flag fragments
    Use grep to find all lines containing picoCTF. Some lines may contain only partial fragments of the flag spread across multiple log entries.
    grep -i 'picoCTF' server.log
    Learn more

    grep scans a file line by line and prints every line that matches a pattern. The -i flag makes the match case-insensitive, catching variations like PICOCTF, picoctf, or mixed case. In large log files with thousands of lines, grep reduces the search space from the full file to only the relevant matches in milliseconds.

    Log files are structured text files where each line typically represents one event: a timestamp, severity level, source, and message. CTF challenges use log files as a forensic artifact - the flag may appear as part of a simulated HTTP request, an error message, a database query result, or split across multiple events. Understanding the log format first helps determine how fragments are separated.

    For more complex log analysis, tools like awk, sed, jq (for JSON logs), or dedicated log analysis platforms (Splunk, Elasticsearch) provide richer filtering and transformation capabilities. In security operations, log analysis is the primary method for detecting intrusions and reconstructing attacker activity.

  2. Step 2Extract and join all fragments
    Use Python's re.findall to collect every fragment matching the flag prefix. Join the collected pieces in order and append the closing brace.
    python3 -c "
import re
data = open('server.log').read()
frags = re.findall(r'picoCTF\{[^}]+', data)
print(frags)
print(''.join(frags) + '}')
"
    Learn more

    re.findall(pattern, string) returns a list of all non-overlapping matches of the pattern in the string, in the order they appear. The pattern picoCTF\{[^}]+ matches the flag prefix followed by one or more characters that are not a closing brace - this captures each partial fragment without including the brace if it appears in the log.

    Regular expressions are indispensable for text extraction tasks. Key elements of this pattern: [^}] is a negated character class matching any character except }, and + means one or more occurrences. Together they greedily capture everything between picoCTF{ and the next } - or to the end of the matching context if the brace is missing from each fragment.

    The join() step concatenates the list of fragments into a single string. If the fragments are sequential pieces of the flag (each log line contains the next portion), joining them in document order reassembles the complete flag. Appending } closes the bracket that was used as the regex stop character. Always verify the result makes sense - if fragments overlap or are in wrong order, additional sorting or deduplication logic is needed.

Flag

picoCTF{...}

Logs often contain partial strings spread across multiple entries - regex extraction with findall collects all non-overlapping matches in document order, making reassembly straightforward.

Want more picoMini by CMU-Africa writeups?

Browse picoMini by CMU-AfricaFull library

Useful tools for General Skills

More General Skills