picoCTF Solutions
picoCTF 2021Web ExploitationEasy

Scavenger Hunt

Published: April 2, 2026

Description

There is some interesting information hidden around this site. Find all the pieces of the flag.

Setup

Remote

Navigate to the challenge URL.

# Open the challenge URL in your browser

Solution

  1. Step 1Part 1: HTML source
    View the page source (Ctrl+U or right-click > View Page Source). Find a comment containing the first part of the flag: `picoCTF{...}`.
  2. Step 2Part 2: CSS file
    The HTML links to a CSS file at /mycss.css. Open it and look for a comment. It contains the second part: h4ts_4_l0
    curl -s http://<server>/mycss.css
  3. Step 3Part 3: JavaScript file and robots.txt
    The HTML also links to /myjs.js. A comment there hints to check robots.txt. Open /robots.txt and find the third part: t_0f_pl4c
    curl -s http://<server>/myjs.js
    curl -s http://<server>/robots.txt
    Learn more

    robots.txt is a file at the root of a web server that instructs search engine crawlers which URLs to index or avoid. It is publicly accessible by anyone and is frequently checked during web CTF recon since it often reveals hidden paths or admin areas the site owner does not want indexed -- but has not actually protected.

  4. Step 4Part 4: .htaccess
    robots.txt hints at an Apache server configuration file. Check /.htaccess. It contains the fourth part: 3s_2_lO0k
    curl -s http://<server>/.htaccess
    Learn more

    .htaccess is an Apache per-directory configuration file. It can define URL rewrite rules, authentication requirements, and custom headers. On misconfigured servers it is publicly readable -- a security risk since it reveals the server's internal routing logic. Well-configured Apache servers deny direct access to .htaccess with a 403 Forbidden response.

  5. Step 5Part 5: .DS_Store
    .htaccess hints at a Mac-specific file. Request /.DS_Store -- this macOS metadata file is sometimes accidentally uploaded to web servers. It contains the final part of the flag: _f7ce8828}
    curl -s http://<server>/.DS_Store
    Learn more

    .DS_Store files are created by macOS Finder to store folder view settings (icon positions, column widths, etc.). When developers deploy websites from a Mac without a .gitignore entry for .DS_Store, these files get uploaded to the server alongside the actual web content. They can leak directory structure and file listings -- tools like ds_store_exp parse them to reconstruct entire directory trees.

Flag

picoCTF{...}

Hidden server files like .htaccess and .DS_Store are often accidentally accessible on misconfigured servers -- each file in this challenge hints at the next.

More Web Exploitation