This blog is a walkthrough for the challenge Roboto Sans and Inspect HTML on the PicoCTF Platform.
PicoCTF 2022 Challenge: Roboto Sans
Tags: Web Exploitation
AUTHOR: MUBARAK MIKAIL
Points: 200
PicoCTF Website: https://play.picoctf.org/
My profile: https://play.picoctf.org/users/Azt3c
DISCRIPTION:
The flag is somewhere on this web application not necessarily on the website. Find it.
Check this out.
Solution:
Looking at the challenge name this challenge possibly have something to do with the robots.txt that is part of the the robots exclusion protocol. Robots.txt is a text file created to instruct web robots how to crawl pages on their website. The robots.txt can indicate whether certain user agents (web-crawling software) can or cannot crawl parts of a website.
- So understanding that websites has a robots.txt, lets see if this website has one by going to : /robots.txt
2. Now seeing that it does, there’s info in the file that is disallowing “/cgi-bin/” and “/wp-admin/”, Going to each path returns a 404:
/wp-admin/:
/cgi-bin/:
3. Also noting that there’s a string that is base64 encoding and if we decode on base64decode it we get a path that shouldn’t be in the robots.txt:
Base64 string:
ZmxhZzEudHh0;anMvbXlmaW
Decoded string:
flag1.txtjs/myfi
Base64 string:
svssshjweuiwl;oiho.bsvdaslej
Decoded string:
, z谖/u%z
Base64 string:
anMvbXlmaWxlLnR4dA==
Decoded string:
js/myfile.txt
4. Seeing that “js/myfile.txt” could be a path on the server so we go to where that file is located and we get our flag:
FLAG: picoCTF{Who_D03sN7_L1k5_90B0T5_718c9043}
PicoCTF Challenge: Inspect HTML
Tags: Web Exploitation, Inspector
AUTHOR: LT ‘SYREAL’ JONES
Points: 100
Solution:
- Visiting the website we see that there’s a story about ‘On Histiaeus’ and thats pretty much it:
2. So based on the name of the challenged we’ll be inspecting the page source, so right click anywhere on the website and view page source:
3. Inspect the HTML code and you will find the flag:
Flag: picoCTF{1n5p3t0r_0f_h7ml_1fd8425b}
Thanks for reading ;). If you have any questions, don’t hesitate to contact me.