Written by

Share this post!


← ../

Web Beginner - picoCTF 2022 Writeup

April 24, 20221 min read


Looking through the sources you will be able to find the two parts of the flag in the css file and js file attached in the head tags of source.


Inspect HTML

Check source to get the flag


Local Authority

After having a failed login attempt, you should be able to find the secure.js attached to login.php.

USER: admin
PASS: strongPassword098765

Logging in gives us the flag


Search Source

The flag is the style.css of the website, then search for pico


Forbidden Paths

By using directory transversal in the prompt given, we are able to read the flag file



Power Cookie

When we access the website, we are given an option to join the website as guest. But that is all we are left with.

However if we look at the storage of the developer tools, we will see a cookie called isAdmin. Setting it to 1 and then refreshing brings us the flag.



Roboto Sans

Check the robots.txt.


This prevents webcrawlers from accessing certain parts of the sites.

When we base64 decode the contents, we are able to see that these are files hidden in this encoding.

Lets access one of these directories at js/myfile.txt.

We got our flag.



This is manual directory transversal using source. We see in initial source there is a folder called secrets.

When scouting the directory of http://saturn.picoctf.net:49917/secret/, we see an image file and another folder called hidden.

When scouting the directory of http://saturn.picoctf.net:49917/secret/hidden/, we see a login page and a folder called superhidden.

Finally in the superhidden directory, we get our flag.

picoCTF{[email protected]@10n_790d2615}

SQL Direct

pico=# \d
         List of relations
 Schema | Name  | Type  |  Owner   
 public | flags | table | postgres
(1 row)

pico=# select * from flags
pico-# ;
 id | firstname | lastname  |                address                 
  1 | Luke      | Skywalker | picoCTF{L3arN_S0m3_5qL_t0d4Y_21c94904}
  2 | Leia      | Organa    | Alderaan
  3 | Han       | Solo      | Corellia
(3 rows)


We got our flag.



username: admin
password: admin
SQL query: SELECT * FROM users WHERE name='admin' AND password='admin'

Login failed.

With this in mind, we can replace the last password statement to an always true statement.

USER: admin
PASS: ' OR 1=1--

Using these credentials we can login and check source to find the flag.


Published April 24, 2022, by ZyphenSVC.

If you enjoyed the post, consider sharing it!


Copyright © 2023 Sriaditya Vedantam. Site source on GitHub.