Scavenger Hunt Solution
This is the solution for picoCTF's Scavenger Hunt Solution web exploitation problem.
This problem was taken from the picoCTF 2021 and the solution will be discussed below. So proceed with caution.
Opening the link we are redirected to this simple website.
Let's view the page source of this website to understand more. Right click the page and left click View Page Source in the browser. view-source:mercury.picoctf.net:55079
Here we find the first part of the flag : picoCTF{t
Now let's check the other files stated by the page as being used to create the website.
Let's start with mycss.css
view-source:mercury.picoctf.net:55079/mycss.css
We find the second part of the flag : h4ts_4_l0
Next file we need to inspect is myjs.js
mercury.picoctf.net:55079/myjs.js
Although we are not able to find any flag, we find a clue to the next flag. How can I keep Google from indexing my website?
Doing a Google search we find that robots.txt
is used to prevent indexing.
http://mercury.picoctf.net:55079/robots.txt
robots.txt
is important in security as this can lead to information leak on what are restricted area on the site. This assist hackers in mapping the site. This file can lead to vulnerability if an area is listed to be restricted for crawling/indexing yet proper security protection are not implemented
We find the third part of the flag : t_0f_pl4c
.
But the flag is still incomplete. The robots.txt
file provides us a clue for the file containing the next part of the flag. I think this is an apache server... can you Access the next flag?
For some reason the Access is capitalized in the clue. So let's start with doing a google lookup for apache file access. How can I keep Google from indexing my website?
https://httpd.apache.org/docs/2.4/howto/htaccess.html
So let's try accessing the .htaccess
file. http://mercury.picoctf.net:55079/.htaccess
The file exists. This file is important security wise as misconfiguration of this file will lead to vulnerabilities. This file is used to control access to files, folders and access to IP addresses.
We find the fourth flag: 3s_2_lO0k
along with the next clue for the file I love making websites on my Mac, I can Store a lot of information there.
Again using google to search for the clue. We find that in Mac system there is a file called as .DS_Store
Let's try to access the file http://mercury.picoctf.net:55079/.DS_Store
We find the last part of the flag : _74cceb07}
.DS_Store
is significant in security as this can be used by hackers to see private files. This file stores custom attributes/metadata of its containing folder and the name of other files around.
It is known to be exploited by hackers to gain access to an admin portal, backend and database of an application to anyone that accessed the .DS_Store file.
As this file is hidden, don't make the mistake of uploading the file along with your public web files.
Combining every part of the flag we found:
Flag: picoCTF{th4ts_4_l0t_0f_pl4c3s_2_lO0k_74cceb07}
Until next time. Keep learning.
Stay stoked and code. :)
I hope you can voluntarily Buy Me A Coffee if you found this article useful and give additional support for me to continue sharing more content for the community. :)
Thank you very much. :)