Secrets

Description: We have several pages hidden. Can you find the one with the flag?
Difficulty: Medium

🔎 Solution

First, access the website and inspect the page source. From there, it can be observed that the asset files are stored under the /secret/ directory.

In addition, using gobuster to enumerate directories also reveals this path.

> gobuster dir -u http://saturn.picoctf.net:49988/ -w /usr/share/wordlists/dirb/common.txt

===============================================================
Gobuster v3.8
by OJ Reeves (@TheColonial) & Christian Mehlmauer (@firefart)
===============================================================
[+] Url:                     http://saturn.picoctf.net:49988/
[+] Method:                  GET
[+] Threads:                 10
[+] Wordlist:                /usr/share/wordlists/dirb/common.txt
[+] Negative Status codes:   404
[+] User Agent:              gobuster/3.8
[+] Timeout:                 10s
===============================================================
Starting gobuster in directory enumeration mode
===============================================================
/index.html           (Status: 200) [Size: 1023]
/secret               (Status: 301) [Size: 169] [--> http://saturn.picoctf.net/secret/]
Progress: 4613 / 4613 (100.00%)
===============================================================
Finished
===============================================================

When visiting this directory, a message appears indicating that we are getting close to finding the flag.

Continuing to inspect the source code, another directory named /hidden/ is discovered. Navigating to /secret/hidden/ leads to a login page. On this page, yet another directory /superhidden/ can be identified.

Finally, accessing /secret/hidden/superhidden/ reveals the flag. The flag text is displayed in white, so it needs to be highlighted to be visible.

🚩Flag

picoCTF{succ3ss_@h3n1c@10n_39849bcf}

🔎 Solution​

🚩Flag​

🔎 Solution

🚩Flag