Description
Try to find the password again. Check the HTML source.
Solution
- Step 1View the page sourceOpen the challenge URL and view source (Ctrl+U). Find the JavaScript that validates the password. The logic will be obfuscated - variables may have random names and strings may be split into pieces.
Learn more
Client-side password validation is fundamentally insecure because the browser must have the complete validation logic (including the correct password) to check your input. Obfuscation only adds friction, not real security.
Common obfuscation techniques include: splitting strings into parts and joining them, using character codes instead of string literals, renaming variables to meaningless names, and reversing strings.
- Step 2Deobfuscate the JavaScriptPaste the obfuscated JavaScript into an online beautifier (like beautifier.io) or use browser DevTools. Trace the string operations - look for concatenation, split, reverse, join, or charAt calls that reconstruct the password.
Learn more
A useful trick: open the browser console and type the name of any variable you see in the obfuscated JS. The console will show you its current value. You can also call the validation function directly with test values to observe its behavior.
If the password is assembled from parts (e.g.,
var a = 'pic'; var b = 'oCTF';), just concatenate them mentally. Check for array operations too - sometimes the flag is stored as a reversed or shuffled array of characters. - Step 3Extract the flag from the JSOnce you understand the string operations, manually execute them (in your head, on paper, or in the browser console) to reconstruct the final password/flag string.
Learn more
The flag will either be in the standard picoCTF format directly, or it will be the input that passes the validation check. If the JS checks your input against a transformed version, reverse the transformation.
Flag
picoCTF{...}
The flag is assembled from split string parts in the JavaScript source - concatenate them in the correct order.