Description
This website can be found at the challenge URL. But you can only view it with the picobrowser.
Solution
Want to try it yourself first?
The guided walkthrough reveals hints one step at a time.
Step 1
Understand the User-Agent checkObservationI noticed the challenge description said the site can only be viewed with 'picobrowser', which suggested the server was checking an HTTP header to identify the client's browser rather than enforcing any real authentication.Visit the challenge URL in a normal browser. You will see a message saying the page can only be accessed with 'picobrowser'. The server checks the User-Agent HTTP header to determine what browser you are using.Learn more
The User-Agent header is sent by browsers to identify themselves to web servers. It is part of every HTTP request and looks like:
Mozilla/5.0 (X11; Linux x86_64) AppleWebKit/537.36.... Servers can use it to serve different content for different browsers or devices.However, the User-Agent is completely controlled by the client - any HTTP tool can send any string as the User-Agent. It is not a security mechanism.
Step 2
Send the request with the picobrowser User-AgentObservationI noticed the rejection message confirmed the server was reading the User-Agent header, and the challenge name 'picobrowser' was the exact string the server expected, which suggested setting the User-Agent to 'picobrowser' via curl's -A flag.Use curl with the -A flag to set a custom User-Agent string. Set it to 'picobrowser' to satisfy the server check.bashcurl -A 'picobrowser' <CHALLENGE_URL>What didn't work first
Tried: Use curl without any -A flag and just visit the URL directly
Without -A, curl sends its default User-Agent (something like 'curl/7.x.x'), which the server does not recognize as picobrowser and returns the 'wrong browser' rejection page instead of the flag. The server is gating on the exact User-Agent string, so the flag is only returned when the header matches.
Tried: Use -H 'User-Agent: PicoBrowser' with capital letters or extra spaces
The server compares the User-Agent value case-sensitively, so 'PicoBrowser' or 'picobrowser ' (trailing space) will not match and the page will still show the rejection message. The value must be exactly 'picobrowser' as the challenge name implies.
Learn more
The
-A(or--user-agent) flag in curl sets the User-Agent header. You can also use-H 'User-Agent: picobrowser'which works the same way.In browser DevTools, you can override the User-Agent under the Network conditions panel (or via a browser extension) and then reload the page - no curl needed.
Step 3
Read the flag from the responseObservationI noticed curl returned the full HTML of the protected page once the correct User-Agent was sent, which meant the flag would be embedded in that output and just needed to be located in the response body.The curl response will contain the HTML of the page with the flag. Look for it in the output.Learn more
User-Agent sniffing is used legitimately for responsive design and bot detection, but relying on it as a security gate is a common misconfiguration. Any attacker can trivially spoof the User-Agent string.
Interactive tools
- URL Encoder / DecoderEncode and decode URL-encoded (percent-encoded) strings. Useful for web exploitation challenges involving query parameters, form data, and HTTP headers.
- JWT DecoderDecode JSON Web Tokens and inspect the header, payload, and signature. Useful for web exploitation challenges.
Flag
Reveal flag
picoCTF{p1c0_s3cr3t_ag3nt_...}
Use `curl -A 'picobrowser' <url>` to set the User-Agent header to 'picobrowser' and receive the flag.