picoCTF Solutions
picoCTF 2021Web ExploitationMedium

Startup Company picoCTF 2021 Solution

Published: April 2, 2026

Description

Use a search engine to find the flag. Connect to the HTTP service and look around carefully.

Setup

Connect to the provided URL or nc endpoint and retrieve the page.

bash
curl http://mercury.picoctf.net:<PORT_FROM_INSTANCE>/

Solution

Walk me through it
  1. Step 1Fetch the page and inspect the source
    Use curl to retrieve the raw HTML of the page. The flag is hidden in an HTML comment or embedded in the page source in a non-visible location.
    bash
    curl -s http://mercury.picoctf.net:<PORT_FROM_INSTANCE>/ | grep -i pico
    bash
    # Extract just the contents of every HTML comment, multiline-safe:
    bash
    curl -s http://mercury.picoctf.net:<PORT_FROM_INSTANCE>/ \
  | grep -oP '<!--\K[^-]*(?=-->)'
    Learn more

    HTML comments are one of the simplest hiding spots in web CTF challenges. They are delimited by <!-- comment text --> and are completely invisible when viewing a rendered page in a browser, but are fully visible in the raw HTML source.

    Always check the page source when looking for hidden web content. In a browser you can press Ctrl+U (or Cmd+U on macOS) to view raw source. From the command line, curl retrieves the exact bytes the server sends - no rendering, no hiding.

    Other common hiding spots: JavaScript source files (linked via <script src="...">), CSS files, HTTP response headers (especially custom headers like X-Flag), and robots.txt. Always check all of these in web challenges.

  2. Step 2Check HTTP response headers
    Some challenges hide the flag in a custom HTTP response header rather than the body. Use curl -I or curl -v to see all response headers.
    bash
    curl -I http://mercury.picoctf.net:<PORT_FROM_INSTANCE>/
    Learn more

    HTTP headers are key-value pairs sent by the server before the response body. Standard headers include Content-Type, Server, and Set-Cookie. Servers can also send completely custom headers. Common CTF custom-header names to check: X-Flag, X-picoCTF, Set-Flag, X-Hidden, X-Easter-Egg. The -I flag fetches headers only (HEAD request); -v shows full request and response headers alongside the body.

Flag

picoCTF{...}

The flag was hidden in the HTML source - either in a comment or an HTTP header - and was not visible on the rendered page but trivially found with curl or View Source.

Want more picoCTF 2021 writeups?

Browse picoCTF 2021Full library

Useful tools for Web Exploitation

Related reading

What to try next