Insp3ct0r

Description

Solution

1. Step 1Check the HTML source for part 1
   Right-click the page and select View Page Source (or press Ctrl+U). Scroll through the HTML and look for a comment containing part 1 of the flag.
   Learn more

   HTML comments are denoted by <!-- comment text --> and are invisible in the rendered browser view but fully readable in the page source. Developers use them to leave notes, temporarily disable code, or mark sections for future work. In CTF challenges they are a classic hiding spot for flags or hints.

   Pressing Ctrl+U (or Cmd+U on Mac) opens the raw HTML source in a new browser tab. Alternatively, right-clicking and selecting "View Page Source" does the same. This is distinct from the browser's Developer Tools inspector, which shows the live DOM (which may differ from the original source if JavaScript has modified it). For finding comments, the raw source view is often more reliable.

   In real-world web security, HTML source inspection is the first step in web application reconnaissance. Developers sometimes accidentally leave database names, internal hostnames, API endpoints, version numbers, or even credentials in HTML comments. Always inspect source before proceeding to more advanced techniques.

2. Step 2Check the linked CSS file for part 2
   In the page source, find the <link> tag pointing to the stylesheet. Open that CSS file URL directly. Look for a comment containing part 2 of the flag.
   Learn more

   CSS comments use the /* comment */ syntax and are equally invisible in the rendered page but readable in the stylesheet source. External stylesheets are referenced via <link rel="stylesheet" href="/path/to/style.css"> in the HTML head. You can navigate to the CSS file URL directly in your browser to read its full contents including any comments.

   External CSS files are fetched by the browser as separate HTTP requests. In browser DevTools (F12), the Network tab shows all resources the page loads -- stylesheets, scripts, images, fonts, API calls -- making it easy to enumerate everything included in a page. The Sources tab lets you browse and read all loaded files directly within DevTools.

   From a security perspective, CSS files can reveal internal path structures, framework versions (from file paths or comments), and occasionally sensitive data. CSS preprocessor source maps (.css.map files) can expose original SCSS/LESS source, which sometimes contains more context about the application's structure.

3. Step 3Check the JavaScript file for part 3
   Find the <script> tag pointing to an external JS file. Open that URL. Look for a comment containing part 3 of the flag. Concatenate all three parts to form the complete flag.
   Learn more

   JavaScript comments come in two forms: single-line (// comment) and multi-line (/* comment */). External JS files referenced via <script src="/path/to/script.js"></script> can be read by navigating to their URL directly in the browser or viewing them in DevTools Sources panel.

   JavaScript files are often a goldmine in web security assessments. Beyond comments, JS files may contain hardcoded API keys, internal endpoint URLs, client-side authentication logic, hidden form parameters, and debug functionality left in production. Source maps (.js.map files) can expose the original unminified TypeScript or framework source, which is even more readable.

   The pattern of splitting a flag (or secret) across multiple files is a teaching device, but it mirrors real-world reconnaissance: sensitive data is rarely all in one obvious place. Thorough enumeration of all page resources -- HTML, CSS, JS, images, API responses -- is standard practice in web application penetration testing. Browser DevTools, Burp Suite, and tools like wget --mirror or httrack help automate this enumeration.

Flag

picoCTF{...}

Web developers frequently leave comments in HTML/CSS/JS that expose internal notes -- in CTFs those comments often contain flags split across multiple files.