Description
There is some interesting information hidden around this site. Find all the pieces of the flag.
Setup
Navigate to the challenge URL.
# Open the challenge URL in your browserSolution
Walk me through itrobots.txt → .htaccess → .DS_Store. Skip a step and you miss the breadcrumb pointing to the next location.- Step 1Part 1: HTML sourceView the page source (Ctrl+U or right-click > View Page Source). Find a comment containing the first part of the flag:
picoCTF{.... - Step 2Part 2: CSS fileThe HTML links to a CSS file at /mycss.css. Open it and look for a comment. It contains the second part: h4ts_4_l0bash
curl -s http://<server>/mycss.css - Step 3Part 3: JavaScript file and robots.txtThe HTML also links to /myjs.js. A comment there hints to check robots.txt. Open /robots.txt and find the third part: t_0f_pl4cbash
curl -s http://<server>/myjs.jsbashcurl -s http://<server>/robots.txtLearn more
robots.txt is a file at the root of a web server that instructs search engine crawlers which URLs to index or avoid. It is publicly accessible by anyone and is frequently checked during web CTF recon since it often reveals hidden paths or admin areas the site owner does not want indexed - but has not actually protected.
Sample contents. A real robots.txt entry that exposes the next breadcrumb often looks like:
User-agent: * Disallow: /.htaccess # Part 3: t_0f_pl4cThe
Disallowpath is a hint, not a defense - search engines respect it, attackers do not. - Step 4Part 4: .htaccessrobots.txt hints at an Apache server configuration file. Check /.htaccess. It contains the fourth part: 3s_2_lO0kbash
curl -s http://<server>/.htaccessLearn more
.htaccess is an Apache per-directory configuration file. It can define URL rewrite rules, authentication requirements, custom headers, and password protection (
AuthType Basic). Apache reads it on every request to the directory it lives in, which is why misconfiguring it (forgetting the<Files>deny block) is so common. Out of the box Apache denies direct fetches with a 403, but plenty of distributions and tutorials drop that protection, exposing the server's internal rewrite/auth logic. - Step 5Part 5: .DS_Store.htaccess hints at a Mac-specific file. Request /.DS_Store - this macOS metadata file is sometimes accidentally uploaded to web servers. The file is binary, so do not just
catit; pull plain text out with strings.bashcurl -s http://<server>/.DS_Store -o ds_store.binbashstrings ds_store.bin | grep picoCTFLearn more
.DS_Store files are created by macOS Finder to store folder view settings (icon positions, column widths, etc.) in a proprietary binary format. When developers deploy websites from a Mac without a .gitignore entry for .DS_Store, these files get uploaded to the server alongside the actual web content. They can leak directory structure and file listings - tools like
ds_store_expparse them to reconstruct entire directory trees. For a flag check,stringsis enough since.DS_Storestores filenames as UTF-16 strings interleaved with metadata.
Flag
picoCTF{...}
Hidden server files like .htaccess and .DS_Store are often accidentally accessible on misconfigured servers - each file in this challenge hints at the next.