picoCTF 2022 Write-up (Web Exploitation)

Hi everyone! This post is on picoCTF 2022 write-up for web exploitation that was held from 16th March 2022 to 30th Mar 2022. It covers the basics of analyzing the client source codes, path traversal, robots.txt, modifying cookies, directory fuzzing, and SQL injection. Let’s get started!

1. Includes

Below shows the main page of the website.

Press CTRL+U to read the source code of the website. We can see there are two files included, style.css and script.js.

Open those scripts in a new tab and we can see half of the flags at the bottom of each file.

2. Inspect HTML

Below shows the main page of the website.

Press CTRL+U to inspect the HTML file and we can immediately see the flag in the HTML comment.

3. Local Authority

Below shows the main page of the website.

Press CTRL+U to inspect the HTML file and we can see the credentials input into the login form will be sent to login.php. We can access login.php in a new tab from the browser.

Surprisingly, some of the source codes in the login.php are shown to us. This is because the logic that is handling our login credentials is in the Javascript function in HTML that is echoed to us. We can see checkPassword() is used to check our login credentials. This is from secure.js where we can open the file in another tab.

We can see the admin and password in plaintext.

Login using the found credentials and we will see the flag.

4. Search source

Below shows the main page of the website.

Press CTRL+U to inspect the HTML file and open style.css in a new tab.

Use CTRL+F and search for “picoCTF{” and we will be able to see the flag.

5. Forbidden Paths

Below shows the main page of the website.

Based on the challenge’s description, we know that the flag is located at the root directory, /. Besides that, we know that the Web Reader reference files are based on an absolute path. Therefore, we can use path traversal to access flag.txt by inputting the following into the textbox and pressing the “Read” button.


This allows us to obtain the flag.

6. Power Cookie

Below shows the main page of the website. Click on the button “Continue as guest”.

We will be directed to a page that says we must be an admin to view the content.

Press F12 on your keyboard and navigate to Storage. Change the value of “isAdmin” from 0 to 1. If you have no background in programming, 0 means False while 1 means True.

Refresh the page and we will obtain the flag.

7. Roboto Sans

Below shows the main page of the website.

Based on the challenge’s name, I guessed it has something to do with /robots.txt. Visiting it will provide us with some base64 encoded messages.

I used https://www.base64decode.org/ to decode the base64 message which turns out to be a directory path that contains the flag.

Going to the website page allows us to obtain the flag.

8. Secrets

As the challenge gave us a hint that it is on a secret page. I excluded any file extensions in my fuzzing.

kali@kali~$ sudo apt update && sudo apt install seclists
kali@kali~$ ffuf -w /usr/share/seclists/Discovery/Web-Content/raft-medium-words.txt -u http://saturn.picoctf.net:49810/FUZZ
.                       [Status: 200, Size: 1023, Words: 201, Lines: 37]
secret                  [Status: 301, Size: 169, Words: 5, Lines: 8]

Accessing /secret/ directory will provide us with this hint that we are getting close.

As I fuzzed /secret/ directory, it allows me to discover more web pages.

kali@kali~$ ffuf -w /usr/share/seclists/Discovery/Web-Content/raft-medium-words.txt -u http://saturn.picoctf.net:49810/secret/FUZZ
assets                  [Status: 301, Size: 169, Words: 5, Lines: 8]
.                       [Status: 200, Size: 468, Words: 55, Lines: 13]
hidden                  [Status: 301, Size: 169, Words: 5, Lines: 8]

Outlook of http://saturn.picoctf.net:49810/secret/hidden/:

Looking at the source code of the web page by pressing CTRL+U, I could see another directory.

However, http://saturn.picoctf.net:49810/secret/hidden/superhidden/xdfgwd.html isn’t accessible but http://saturn.picoctf.net:49810/secret/hidden/superhidden/ is.

Looking at the source code, we can see the flag which the flag has been hidden by CSS by making the font white.

9. SQL Direct

This challenge is pretty straightforward as we just have to retrieve the flag from a table. Firstly, you will need the psql tool. If you are using Kali, it should already come with psql. You can get a list of specific PostgreSQL commands here. To retrieve the flag, it is just a normal SQL query.

kali@kali~$ psql -h saturn.picoctf.net -p 53729 -U postgres pico
Password for user postgres: postgres
psql (13.3 (Debian 13.3-1), server 14.2 (Debian 14.2-1.pgdg110+1))
WARNING: psql major version 13, server major version 14.
         Some psql features might not work.
Type "help" for help.

pico=# \dt
         List of relations
 Schema | Name  | Type  |  Owner   
 public | flags | table | postgres
(1 row)

pico=# SELECT * FROM flags;
 id | firstname | lastname  |                address                 
  1 | Luke      | Skywalker | picoCTF{L3arN_S0m3_5qL_t0d4Y_472538a0}
  2 | Leia      | Organa    | Alderaan
  3 | Han       | Solo      | Corellia
(3 rows)

pico-# \q


10. SQLiLite

Below shows the main page of the website.

This is an SQL injection challenge. Hence we can just inject into the follow content into the Username textbox and press Login.

' or 1=1;#

Once login, we will see the page shown below. If you do not understand why it works, the login page already shows the full SQL query that includes our injected content which should explain why it works. Note that # is just to comment on the rest of the SQL query statement to prevent errors.

Press CTRL+U will allow us to see the flag in the HTML source code.

I hope this article has been helpful to you. Feel free to leave any comments below. You may also send me some tips if you like my work and want to see more of such content. Funds will mostly be used for my boba milk tea addiction. The link is here. 🙂

Leave a Reply

Please log in using one of these methods to post your comment:

WordPress.com Logo

You are commenting using your WordPress.com account. Log Out /  Change )

Twitter picture

You are commenting using your Twitter account. Log Out /  Change )

Facebook photo

You are commenting using your Facebook account. Log Out /  Change )

Connecting to %s

This site uses Akismet to reduce spam. Learn how your comment data is processed.