PicoCTF 2023 challenge: Repetition
Figure 1: The challenge description

This challenge starts off with an encoded file, “enc_flag” which was downloaded with wget into Kali Linux Virtual Machine.

Inspection of enc_flag’s contents shows it to a piece of encoded string, consisting of a mix of Upper case letters, lower case letters and integers.

At a quick glance, the string does not start with 0x, it contains lower case letters as well as upper case letters beyond F in the alphabet. Therefore it is certainly not some numeric value like hexadecimal but resembles ASCII characters. Most notably, the piece of string ending in == could be indicative of base64 encoding.

Further reading from base64encoder confirms this and explains that a double == instead of single = means the last chunk of the message is exactly 16 bits. [1]

Hence ASCII decoding was performed on the message using bash command.

echo -e <string> | base64 -d
Figure 1: 1st base64 decoding iteration.

This did not convert the message into any recognizable English. It may be that a different encoding was used but the clues in the hint suggests a different reason. The wording was “multiple decoding” with no mention of different decoding schemes stacked together.

Hence the next step is to take the output of this decoding as input to a second iteration of decoding, then doing this repetitively till it becomes legible English. To prevent wasting time if this is the wrong approach, I will run no more than 10 iterations.

Figure 2: 2nd base64 decoding iteration.
Figure 3: 3rd base64 decoding iteration.
Figure 4: 4th base64 decoding iteration.
Figure 5: 5th base64 decoding iteration.

Upon the 5th iteration, the output has shown the flag.


[1] “What is Base64 Encoding and How does it work?,”

Hello World!

I can think of no better way to start this journey from an origin of gratitude. I am privileged to have been selected for the Upskill in Cyber 2022 UK program which allowed me to acquire the highly sought after GIAC certifications (GFACT and GSEC) in the cybersecurity industry, free of cost.

However, it wasn’t just about the certifications. My horizon had been broadened to a vast ocean of knowledge and rich history. I had been introduced into the community and now find myself venturing further and further into a brave new world.

I am therefore super grateful for the Upskill in Cyber program’s coordinators, as well as the ultra helpful mentors and student peers, whom have provided timely and extreme generosity of domain expertise during my studies. They truly are the determining factors that brings inclusiveness and human touch to the course experience. As such I’d highly recommend any UK youths with a curiosity for cybersecurity and coding like myself to give it a go and get on the Upskill in Cyber scheme!

Alongside them, I’d also like to give my thanks to Rothamsted Research Institute’s Computational and Analytical Sciences Department for my first foray into the world of technology in a bioinformatics Year in Industry during my university studies, for showing me a whole realm different to my previous background in biological sciences.

Next Steps

The RSA conference, “How the Best Hackers Learn their Craft” hosted in 2018, had emphasized the usefulness in solving patterns of larger problems when it comes to enhancing problem-solving skills. For cybersecurity professionals, this would be Capture The Flag competitions.

Hence, I believe the next stage to undertake would be the PicoCTFs of 2023. I will update this blog after the competition is over and permission for write-ups are granted.