picoCTF Solutions
picoCTF 2021Web ExploitationMedium

Who are you? picoCTF 2021 Solution

Published: April 2, 2026

Description

Only those who use the official PicoBrowser are allowed on this site.

Setup

Remote

Access the challenge URL and observe what the server demands.

bash
curl http://mercury.picoctf.net:38322/

Solution

Walk me through it
  1. Step 1Set the User-Agent to picobrowser
    The server checks User-Agent first. Set it to picobrowser. Each failed check returns the next requirement in plain text.
    bash
    curl --user-agent "picobrowser" http://mercury.picoctf.net:38322/
    Learn more

    The User-Agent header identifies the client software. Servers cannot trust it. Check responses look something like:

    # Wrong UA
"Sorry, you can only access this server with picobrowser."

# Right UA, wrong Referer
"Sorry, you can only access this website by clicking through from our official site."

# Right UA + Referer, wrong Date
"Sorry, this site only worked in 2018."

    Each error message points at the next required header. Read it carefully and add one header per request. See web bug patterns for why header-based access controls always lose.

  2. Step 2Add Referer, Date, DNT, XFF, Accept-Language
    Six checks total. Add each header one at a time, reading the next error message between requests. The full set: Referer matches the site itself, Date in 2018, DNT 1, X-Forwarded-For from a Swedish IP, Accept-Language Swedish.
    bash
    curl http://mercury.picoctf.net:38322/ \
  --user-agent "picobrowser" \
  --referer "http://mercury.picoctf.net:38322/" \
  -H "Date: Mon, 23 11 2018 23:23:23 GMT" \
  -H "DNT: 1" \
  -H "X-Forwarded-For: 2.71.255.255" \
  -H "Accept-Language: sv-SE"
    Learn more

    Why a Swedish IP. The error message names Sweden. Confirm an IP's country with a quick whois lookup or a MaxMind GeoIP query. 2.71.0.0/16 through 5.150.0.0 contain Swedish ISP allocations; 2.71.255.255 works because it falls in TeliaSonera's assignment. Any IP that GeoIP resolves to SE passes.

    HTTP headers, by purpose:

    • Referer: the URL the client came from. Same-origin check here.
    • Date: request time. Server checks the year is 2018.
    • DNT: Do Not Track. 1 requests no tracking.
    • X-Forwarded-For: original client IP through a proxy. The server uses this for geo-restriction (a Swedish IP passes).
    • Accept-Language: preferred response language. sv-SE for Sweden.

    Case sensitivity. HTTP header names are case-insensitive (User-Agent, user-agent, and USER-AGENT all match). Values are case-sensitive: picobrowser and PicoBrowser are different strings as far as a strict equality check is concerned. Match the exact value the server demands.

Flag

picoCTF{...}

The server validates six HTTP headers in sequence. Each wrong header reveals the next requirement, making this a progressive enumeration challenge.

Want more picoCTF 2021 writeups?

Browse picoCTF 2021Full library

Tools used in this challenge

Related reading

What to try next