picoCTF - Scavenger Hunt Solution

picoCTF - Scavenger Hunt Solution

Scavenger Hunt Solution

This is the solution for picoCTF's Scavenger Hunt Solution web exploitation problem.

Screenshot 2024-04-12 at 10 41 12 PM

This problem was taken from the picoCTF 2021 and the solution will be discussed below. So proceed with caution.

Opening the link we are redirected to this simple website.

Screenshot 2024-04-12 at 10 59 47 PM

Let's view the page source of this website to understand more. Right click the page and left click View Page Source in the browser. view-source:mercury.picoctf.net:55079

Screenshot 2024-04-12 at 11 03 00 PM

Here we find the first part of the flag : picoCTF{t

Now let's check the other files stated by the page as being used to create the website.

Let's start with mycss.css view-source:mercury.picoctf.net:55079/mycss.css

Screenshot 2024-04-12 at 11 08 42 PM

We find the second part of the flag : h4ts_4_l0

Next file we need to inspect is myjs.js mercury.picoctf.net:55079/myjs.js

Although we are not able to find any flag, we find a clue to the next flag. How can I keep Google from indexing my website?

Screenshot 2024-04-12 at 11 44 33 PM

Doing a Google search we find that robots.txt is used to prevent indexing.

http://mercury.picoctf.net:55079/robots.txt

Screenshot 2024-04-12 at 11 11 03 PM

robots.txt is important in security as this can lead to information leak on what are restricted area on the site. This assist hackers in mapping the site. This file can lead to vulnerability if an area is listed to be restricted for crawling/indexing yet proper security protection are not implemented

We find the third part of the flag : t_0f_pl4c.

But the flag is still incomplete. The robots.txt file provides us a clue for the file containing the next part of the flag. I think this is an apache server... can you Access the next flag?

For some reason the Access is capitalized in the clue. So let's start with doing a google lookup for apache file access. How can I keep Google from indexing my website?

https://httpd.apache.org/docs/2.4/howto/htaccess.html

Screenshot 2024-04-12 at 11 22 55 PM

So let's try accessing the .htaccess file. http://mercury.picoctf.net:55079/.htaccess

Screenshot 2024-04-12 at 11 24 44 PM

The file exists. This file is important security wise as misconfiguration of this file will lead to vulnerabilities. This file is used to control access to files, folders and access to IP addresses.

We find the fourth flag: 3s_2_lO0k along with the next clue for the file I love making websites on my Mac, I can Store a lot of information there.

Again using google to search for the clue. We find that in Mac system there is a file called as .DS_Store

Let's try to access the file http://mercury.picoctf.net:55079/.DS_Store

Screenshot 2024-04-12 at 11 30 04 PM

We find the last part of the flag : _74cceb07}

.DS_Store is significant in security as this can be used by hackers to see private files. This file stores custom attributes/metadata of its containing folder and the name of other files around.

It is known to be exploited by hackers to gain access to an admin portal, backend and database of an application to anyone that accessed the .DS_Store file.

As this file is hidden, don't make the mistake of uploading the file along with your public web files.

Combining every part of the flag we found:

Flag: picoCTF{th4ts_4_l0t_0f_pl4c3s_2_lO0k_74cceb07}

Until next time. Keep learning.

Stay stoked and code. :)


I hope you can voluntarily Buy Me A Coffee if you found this article useful and give additional support for me to continue sharing more content for the community. :)

Thank you very much. :)