Hey guys, I got to know from one of my lecturers about a website with many CTF practice challenges called (https://picoctf.org/), so I decided to try A few challenges and practice.
I found this challenge called “Scavenger hunt” and this challenge sounded pretty interesting, and I started to do it.
From the Description itself it gives the vibe of a scavenger hunt :P
Here is the description: There is some interesting information hidden around this site
And also, there is a small hint about the challenge as well: You should have enough hints to find the files, don’t run a brute forcer.
Let’s get started,
- After accessing the link, which Is mentioned above, we landed on a simple webpage that looks like the one below,
- Since the description said that there is interesting information hidden around the site, I thought of viewing the source code of the web page. We can do it by right clicking on the mouse and then selecting View Page Source.
• Once you click on it you can view the source code as below,
• When you Read the source code you will see the following statement in line 31,
<! — Here’s the first part of the flag: picoCTF{t →
• This is highlighted in the image above. I copied the first part of the flag to my notepad.
• So now we have found the first part of the flag. Now we must see where we can get the rest of the flag.
- Next, I clicked on “mycss.css” and I was redirected to the page with the CSS code,
• I read through the CSS, and I was thinking that there’s no way that I will find anything on this but then once I read my way to the very bottom of the code, I found a line that said this,
/* CSS makes the page look nice, and yes, it also has part of the flag. Here’s part 2: h4ts_4_l0 */
• And according to the line above I figured out that I found the second part of the flag. Copied that to my notepad too. Up to now I have 2 parts of the flag.
I hope that the next part will be the last part of the flag!!!
- I went back to the source code and clicked on “myjs.js” file and then it redirected me to the Script file,
• I went through the scrip but no luck at all but there was a small hint :)
/* How can I keep Google from indexing my website? */
• Okay HOW??? Well, I did a bit of googling over here, according to google I read that you can use robots.txt file to manage crawler traffic to the site and also to keep a file off Google but it depends on the file type.
- Anyway, I typed /robots.txt to my URL: http://mercury.picoctf.net:39491/robots.txt/ And I clicked enter and this is what I got,
• Now I found the 3rd part of the flag, so I copied it to my note pad. The connected flag for now looks like this,
picoCTF{th4ts_4_l0t_0f_pl4c
Well looks like we have more to find :(
• Oh, wait but it has given us a hint look at this: # I think this is an apache server… can you Access the next flag?
• I went to https://httpd.apache.org and I looked up on how I could access this. It had tutorial on .htaccess files and I read how I could access this through the website.
Then I tried adding /.htaccess to the URL: http://mercury.picoctf.net:39491/.htaccess
- This was the output,
• There we go another part of the flag!!! But guess what, we are still not done! It’s alright we’ve got a clue as follows,
# I love making websites on my Mac, I can Store a lot of information there.
• When I read this clue, nothing was really important or eye catching apart from the word “Store” which is in the middle of a sentence with a capital letter. And then I tried to put things together with the details that the developer has given about his love towards his Mac. I checked where this keyword comes in the Mac OS, and I found out that there is a auto created file called .DS_Store which stores details about the system configuration. These DS_Store files are automatically created by Mac OS X Finder in browsed directories.
• I added this path to the original URL, and it looks like this: http://mercury.picoctf.net:39491/.DS_Store • Once I clicked enter this is what I got,
• Pheww!! I was relieved to see that I have completed the scavenger hunt by finding the final part of the flag!!!
➢ This is what the flag looks like: picoCTF{th4ts_4_l0t_0f_pl4c3s_2_lO0k_f7ce8828}
- So, once you get all the bits and pieces of the flag sorted you must go back to the picoCTF website where we started the ctf,
• Submit the flag and get your 50 points.
This might not be a very complicated task for the experts out there but thank you for being there till the end!
Always remember, “KEEP TRYING AND DON’T GIVE UP”, See y’all soon!
Stay home, stay safe
Written by Vihan Udawela— 2nd Year 2nd Semester -Cyber Security Student-SLIIT