Post

PicoCTF - Scavenger Hunt

  1. Visiting the site:

  2. This looks (almost) identical to the Insp3ct0r challenge. Let’s see if by viewing the page’s HTML, CSS, and JS code would be enough to get the flag. We will be using Burp Suite this time, so let’s start by viewing the HTML:

  3. We got the first part of it: picoCTF{t. By switching to the Target tab and sending the mycss.css and myjs.js requests to the Repeater we can check the CSS and JS code as well:

  4. We managed to get the second part of the flag: h4ts_4_l0, thus, we have picoCTF{th4ts_4_l0. The question asks us about Google indexing which points us to search for the robots file:

  5. So we now have: picoCTF{th4ts_4_l0t_0f_pl4c and we are asked about the next flag! It lets us know that it is an apache server and has the Access with capital A, which points towards a common apache directory: /.htaccess:

  6. This time the flag is gonna be a long one: picoCTF{th4ts_4_l0t_0f_pl4c3s_2_lO0k. The last hint talks about storing a lot of information, which indicates to some kind of a database-related directory. We can can perform dir-busting to see if that can help:

    1
    2
    3
    4
    5
    6
    7
    8
    9
    10
    11
    12
    13
    14
    15
    16
    17
    18
    19
    20
    21
    
     $ dirsearch -u http://mercury.picoctf.net:39698/
     /usr/lib/python3/dist-packages/dirsearch/dirsearch.py:23: DeprecationWarning: pkg_resources is deprecated as an API. See https://setuptools.pypa.io/en/latest/pkg_resources.html
     from pkg_resources import DistributionNotFound, VersionConflict
    
     _|. _ _  _  _  _ _|_    v0.4.3
     (_||| _) (/_(_|| (_| )
    
     Extensions: php, aspx, jsp, html, js | HTTP method: GET | Threads: 25 | Wordlist size: 11460
    
     Output File: /home/kali/reports/http_mercury.picoctf.net_39698/__23-12-14_17-18-34.txt
    
     Target: http://mercury.picoctf.net:39698/
    
     [17:18:34] Starting:
     [17:18:39] 403 -    9B  - /.%2e/%2e%2e/%2e%2e/%2e%2e/etc/passwd
     [17:18:42] 200 -   62B  - /.DS_Store
     [17:18:45] 200 -   95B  - /.htaccess
     [17:18:45] 200 -   95B  - /.htaccess/
     [17:20:33] 200 -  124B  - /robots.txt
    
     Task Completed
    

  7. Our complete flag is: picoCTF{th4ts_4_l0t_0f_pl4c3s_2_lO0k_fa04427c}:

This post is licensed under CC BY 4.0 by the author.