306 words
2 minutes
πŸ”πŸ•΅οΈ PicoGym - Mr-Worldwide
2025-11-22
Cryptography πŸ”
PicoGym

πŸ“‚ Download challenge file.

Description: A musician left us a message. What’s it mean?
Difficulty: Medium
Author: speeeday/Danny

Summary#

This challenge hides a message inside a series of GPS coordinates formatted inside picoCTF{...}.
By identifying the locations and taking the first letter of each city, we can reconstruct the final flag.

Analysis#

We are provided with the file message.txt :

Terminal window
$ file message.txt
message.txt: ASCII text, with no line terminators

Its contents are:

picoCTF{(35.028309, 135.753082)(46.469391, 30.740883)(39.758949, -84.191605)(41.015137, 28.979530)(24.466667, 54.366669)(3.140853, 101.693207)_(9.005401, 38.763611)(-3.989038, -79.203560)(52.377956, 4.897070)(41.085651, -73.858467)(57.790001, -152.407227)(31.205753, 29.924526)}

At first glance, this clearly resembles a list of latitude/longitude GPS coordinates wrapped inside picoCTF{}.

I’ll extract only the coordinates to make the data easier to read and analyze:

(35.028309, 135.753082)
(46.469391, 30.740883)
(39.758949, -84.191605)
(41.015137, 28.979530)
(24.466667, 54.366669)
(3.140853, 101.693207)
_
(9.005401, 38.763611)
(-3.989038, -79.203560)
(52.377956, 4.897070)
(41.085651, -73.858467)
(57.790001, -152.407227)
(31.205753, 29.924526)

What places do these GPS coordinates point to?#

The underscore _ appears to separate two words, meaning:

  • The first group of coordinates β†’ first word
  • The second group β†’ second word

The next step is to reverse-lookup each coordinate using tools like:

Identifying the locations#

Now I’ll plug each coordinate into Google Maps and note the city.

Example lookup :

first

35.028309, 135.753082 β†’ Kyoto, Japan.

Proceeding similarly, the coordinates resolve to:

  • (35.028309, 135.753082) β†’ Kyoto, Japan
  • (46.469391, 30.740883) β†’ Odesa, Ukraine
  • (39.758949, -84.191605) β†’ Dayton, USA
  • (41.015137, 28.979530) β†’ Istanbul, Turkey
  • (24.466667, 54.366669) β†’ Abu Dhabi, UAE
  • (3.140853, 101.693207) β†’ Kuala Lumpur, Malaysia

Then after the underscore:

  • (9.005401, 38.763611) β†’ Addis Ababa, Ethiopia
  • (-3.989038, -79.203560) β†’ Loja, Ecuador
  • (52.377956, 4.897070) β†’ Amsterdam, Netherlands
  • (41.085651, -73.858467) β†’ Sleepy Hollow, USA
  • (57.790001, -152.407227) β†’ Kodiak, USA
  • (31.205753, 29.924526) β†’ Alexandria, Egypt

Now we look for a pattern. A common trick in these kinds of challenges is to take the first letter of each city:

First group:

  • Kyoto
  • Odesa
  • Dayton
  • Istanbul
  • Abu Dhabi
  • Kuala Lumpur

β†’ KODIAK

Second group:

  • Addis Ababa
  • Loja
  • Amsterdam
  • Sleepy Hollow
  • Kodiak
  • Alexandria

β†’ ALASKA

So the hidden message is:

KODIAK_ALASKA
⚑ Raikiri

πŸŽ‰ Flag pwned!

Final flag#

picoCTF{KODIAK_ALASKA}
πŸ’‘ TL;DR / Lesson Learned

Location-based puzzles usually hide words in the initials of cities.
Map the coordinates, take the first letters, and the message appears.

πŸ” PicoGym - La Cifra De
πŸ” PicoGym - rail-fence
Β© 2026 Keshav Locknauth Β· 0xkakashi