PicoCTF 2022 : Roboto Sans & Inspect HTML Challenge-WriteUps

Azt3c

3 min readMay 7, 2022

This blog is a walkthrough for the challenge Roboto Sans and Inspect HTML on the PicoCTF Platform.

PicoCTF 2022 Challenge: Roboto Sans

Tags: Web Exploitation

AUTHOR: MUBARAK MIKAIL

Points: 200

PicoCTF Website: https://play.picoctf.org/

My profile: https://play.picoctf.org/users/Azt3c

DISCRIPTION:

The flag is somewhere on this web application not necessarily on the website. Find it.

Check this out.

Solution:

Looking at the challenge name this challenge possibly have something to do with the robots.txt that is part of the the robots exclusion protocol. Robots.txt is a text file created to instruct web robots how to crawl pages on their website. The robots.txt can indicate whether certain user agents (web-crawling software) can or cannot crawl parts of a website.

So understanding that websites has a robots.txt, lets see if this website has one by going to : /robots.txt

2. Now seeing that it does, there’s info in the file that is disallowing “/cgi-bin/” and “/wp-admin/”, Going to each path returns a 404:

/wp-admin/:

/cgi-bin/:

3. Also noting that there’s a string that is base64 encoding and if we decode on base64decode it we get a path that shouldn’t be in the robots.txt:
Base64 string:
ZmxhZzEudHh0;anMvbXlmaW

Decoded string:
flag1.txtjs/myfi

Base64 string:
svssshjweuiwl;oiho.bsvdaslej

Decoded string:
, z谖/u%z

Base64 string:
anMvbXlmaWxlLnR4dA==

Decoded string:
js/myfile.txt

4. Seeing that “js/myfile.txt” could be a path on the server so we go to where that file is located and we get our flag: