Pico CTF: WebDecode

Challenge: WebDecode

Difficulty: Easy

Category: Web Application

Challenge: Inspect the website and find the hidden flag.

Do I know how to use the web inspector? Maybe! ;) ...F12

After spending way too much time on this one, inspecting every possible atom...of course the flag is encoded. I thought the random string "cGljb0NURnt3ZWJfc3VjYzNzc2Z1bGx5X2QzYzBkZWRfMDJjZGNiNTl9" looked a little out of place as it didn't show up anywhere else and was quite random and useless for this webpage. It also seemed a little bit like a flag. It also took me a while to realize the challenge name was a clue.

Lets talk about inspecting a web page. Automatically, I thought of F12 which is a great tool. But I don't think it was the best tool for this challenge. As far as I knew, I needed to find a flag within the pages. With the inspector (F12), most items have to be manually expanded to see the full details. That wasn't the problem with this challenge. On a more difficult variation, a flag could be hidden in the details that aren't seen (see the Unminify post). Although, technically you could perform a search for "picoCTF" (start of flags). As you can see, the flag shows up in the inspector but you would need to see what seems out of place. I would prefer using the inspector for trying different HTTP requests like a built-in Burpe Suite.

Personally, I found right-clicking on the page and clicking "View Page Source" to be the easiest to perform a quick investigation of what is going on. It gives you more of a “whole picture” perspective.

Now lets talk about base 64 encoding. What is it? It is method of converting binary data into plain text strings. What is it used for? Base64 encoding is used, for example, to take something composed of non-printable characters like a picture and turn it into ASCII characters which can then be sent as an email attachment. Base64 encoding takes 3 characters of input and converts it into 4 characters of output. Often, there will be equal signs (=) on the end if there are empty slots in the last 3 byte output. That goes more in depth than I plan to but wanted to note that due to that possibly giving away what it is. Here, I used a website decoder which works great. But since then I’ve learned that Linux actually has a built-in base64 tool.

How to use the Linux base64 tool:

String to encode: Super secret text

Encode:

$ echo ‘Super secret string’ | base64

Decode:

$ echo ‘U3VwZXIgc2VjcmV0IHRleHQ=’ | base64 —decode

Thanks for reading!