Post cover image
CyLab Security Academy screenshot taken by author

June 22, 2026

Writeup for CyLab/picoCTF challenge “Obedient Cat”

Learn how CyLab’s “Obedient Cat” challenge teaches the basics of the Linux terminal, uses wget to download a file, and cat to read its…

Walter Moar

6 min read

Learn how CyLab's "Obedient Cat" challenge teaches the basics of the Linux terminal, uses wget to download a file, and cat to read its contents.

This writeup gives a step-by-step explanation of the CyLab Security Academy challenge "Obedient Cat". The best learning experience comes from working through the challenge alone, but read on if you're stuck or are curious about other approaches.

CyLab Security Academy (previously called "picoCTF") uses Capture The Flag (CTF) security challenges to teach security fundamentals. The challenges cover various security categories (web exploitation, cryptography, forensics, etc) but they all have the common goal of finding a flag in the format picoCTF{unique-text-string-here}. Some challenges are easy and others deviously difficult, but they are all great for learning security skills.

About the "Obedient Cat" Challenge

This is a beginner challenge, and it can be solved by anyone with a few technical skills that will be explained in the writeup.

  • Name: Obedient Cat
  • Category: General Skills
  • Difficulty: Easy
  • Description: This file has a flag in plain sight (aka "in-the-clear").
  • Hint 1: Any hints about entering a command into the Terminal (such as the next one), will start with a '$'… everything after the dollar sign will be typed (or copy and pasted) into your Terminal.
  • Hint 2: To get the file accessible in your shell, enter the following in the Terminal prompt: $ wget and a link to the flag. The link can be copied from the details section.
  • Hint 3: $ man cat

This challenge has hints mentioning "wget" and "cat", so it probably involves downloading a file and then viewing its contents.

Background Knowledge

To solve this challenge it helps to understand:

If the above are new concepts, it's good to first get a solid understanding by reading the article. The walkthrough below covers these topics but it does not go into detail.

Understanding Hint 1: The Terminal

It's important to always understand what the hints are saying. The first hint mentions the terminal, and (again) it's recommended to first read "CTF Basics: Understanding the Linux Terminal".

Since not everyone has a Linux computer at home, CyLab provides the WebShell, which is a browser-based terminal using the Ubuntu flavour of Linux. The WebShell is accessed through the Open in Workspace button:

None

Once the Workspace is open, the "Terminal" tab accesses the Linux terminal (or "shell"):

None

The terminal / shell is an important lower-level tool for working with all computers, including Linux servers.

Understanding Hint 2: wget

The second hint for this challenge mentions the wget command:

To get the file accessible in your shell, enter the following in the Terminal prompt: $ wget and a link to the flag. The link can be copied from the details section.

The link in the details section is in the description for the challenge:

None

Browsers usually have a way to copy links, and in the Firefox browser this is done by right-clicking the flag link and choosing the Copy Link menu item:

None

Now, going back to the WebShell, type in wget, a space, and then right-click the WebShell window and choose Paste:

None

After pasting, it should look like:

None

Note that part of the URL has been (overcautiously) pixelated, in case it is some sort of user-specific value.

So now the wget command is given the URL argument to download the file. Pressing the enter key:

None

There is a lot going on here, but the most important thing is that a file named flag has been saved. This finishes off the steps for the second hint.

Hint 3: Understanding cat

The third and last hint simply says:

$ man cat

The Linux man command is used to display the user manual. So typing man cat into the terminal will display the user manual for the cat command:

None

Although this seems like a lot of text, it's actually a very small man page. Man pages for complex commands read more like books than "pages", but cat is fairly simple. The EXAMPLES section shows some example usage, which is often helpful. cat can take one or more file names as arguments, and outputs their contents, which typically means that it prints them to the terminal window.

Giving this a try, type cat for the command, then a space to separate it from what follows, then the name of the file to display, such as flag. Pressing the enter key to run the command:

None

The flag is intentionally hidden in this screenshot. Publishing flags spoils the learning experience, as working through the steps is the best way to learn. To finish this challenge, highlight the value of the flag and then use the browser's Copy function:

None

Finally, paste it into the flag box at the bottom of the challenge, and then click the Submit button:

None

Security Weaknesses Demonstrated

This challenge demonstrates common security weaknesses that appear in real-world applications. Understanding these weaknesses helps both in identifying vulnerabilities and in building more secure systems.

CWE-219: Storage of File with Sensitive Data Under Web Root

The flag in this challenge is a plain text file stored in a publicly accessible web directory, downloadable by anyone who knows the URL. This is CWE-219: Storage of File with Sensitive Data Under Web Root. The web root is a public space by default, and any file placed there can be retrieved directly through a browser or a tool like wget, with no login or special access required. In a real application, sensitive files such as database files, configuration files containing credentials, or log files should never be stored inside the web root. The correct defense is to keep sensitive files in directories the web server cannot serve, and to audit the web root regularly for files that should not be publicly accessible.

Learned in this Challenge

  • The Linux terminal (shell) is a powerful tool for working with files and remote servers
  • The wget command downloads files from a URL to the local filesystem
  • The man command displays the user manual for any Linux command, and is a useful first step when learning an unfamiliar tool
  • The cat command reads and prints the contents of a file to the terminal
  • Sensitive data stored in publicly accessible plaintext files can be retrieved by anyone with the URL
  • CWE-219 covers sensitive files stored inside the web root directory, where they can be downloaded by anyone with the URL

Beyond the Challenge

The focus of this challenge was using wget and cat to retrieve and read a file, but there are other approaches and directions worth exploring:

  • curl is another common command-line tool for downloading files and interacting with URLs, and is worth learning alongside wget
  • The file command identifies the type of a file based on its contents rather than its extension, which is useful in forensics challenges where files may be disguised
  • strings extracts human-readable text from binary files, and is often the fastest way to find a flag hidden inside a non-text file
  • grep searches file contents for a pattern, such as picoCTF{, which is handy when a flag might be buried in a large file

Want to learn more about security weaknesses? I'm working through the CWE list and doing writeups for security challenges. Follow along for more articles like this one.