Description
This website can be found at the challenge URL. But you can only view it with the picobrowser.
Solution
Walk me through it- Step 1Understand the User-Agent checkVisit the challenge URL in a normal browser. You will see a message saying the page can only be accessed with 'picobrowser'. The server checks the User-Agent HTTP header to determine what browser you are using.
Learn more
The User-Agent header is sent by browsers to identify themselves to web servers. It is part of every HTTP request and looks like:
Mozilla/5.0 (X11; Linux x86_64) AppleWebKit/537.36.... Servers can use it to serve different content for different browsers or devices.However, the User-Agent is completely controlled by the client - any HTTP tool can send any string as the User-Agent. It is not a security mechanism.
- Step 2Send the request with the picobrowser User-AgentUse curl with the -A flag to set a custom User-Agent string. Set it to 'picobrowser' to satisfy the server check.bash
curl -A 'picobrowser' <CHALLENGE_URL>Learn more
The
-A(or--user-agent) flag in curl sets the User-Agent header. You can also use-H 'User-Agent: picobrowser'which works the same way.In browser DevTools, you can override the User-Agent under the Network conditions panel (or via a browser extension) and then reload the page - no curl needed.
- Step 3Read the flag from the responseThe curl response will contain the HTML of the page with the flag. Look for it in the output.
Learn more
User-Agent sniffing is used legitimately for responsive design and bot detection, but relying on it as a security gate is a common misconfiguration. Any attacker can trivially spoof the User-Agent string.
Flag
picoCTF{...}
Use `curl -A 'picobrowser' <url>` to set the User-Agent header to 'picobrowser' and receive the flag.