Writeup in progress
Currently making the solution for X marks the spotand the walkthrough will be published here as soon as it's ready.
Check back soon - or follow our latest updates on the homepage- to be notified when the full writeup goes live.
X marks the spot
Published: April 2, 2026
Want more picoCTF 2021 writeups?
Useful tools for Web Exploitation
- URL Encoder / DecoderEncode and decode URL-encoded (percent-encoded) strings. Useful for web exploitation challenges involving query parameters, form data, and HTTP headers.
- JWT DecoderDecode JSON Web Tokens and inspect the header, payload, and signature. Useful for web exploitation challenges.
- Base64 & Base32 DecoderDecode Base64 and Base32 strings with auto-detection. Multi-layer mode unwraps nested encodings automatically.
Related reading
- SQL Injection for CTF: From Authentication Bypass to Data ExtractionA practical guide to SQL injection techniques used in CTF competitions: authentication bypass, UNION-based extraction, blind SQLi, NoSQL injection, and sqlmap automation - with picoCTF challenge links throughout.
- File Upload ExploitationComplete guide to file upload vulnerabilities, exploitation techniques, bypass methods, web shells, and defensive strategies. Learn through practical picoCTF challenge and real-world scenarios.
- Beginner's Guide to Netcat for CTFsA beginner-friendly guide to using netcat (nc) in CTF competitions: connecting to challenge servers, piping payloads, automating with Python pwntools, and reading challenge output.
What to try next
- Web ExploitationHard
ORDER ORDER
Register with a UNION SELECT SQL injection payload as your username. When reports are generated, the injection extracts the flag from a hidden table.
- Web ExploitationHard
paper-2
Chain an XSLT injection with a Redis LRU side-channel to exfiltrate the admin's secret from this hardened web app.
- Web ExploitationHard
Pachinko Revisited
Return to the Pachinko exhibit and dig deeper into the server artifacts to capture the elusive second flag.
- Web ExploitationHard
secure-email-service
A hardened email service with multiple security layers. Chain SSRF and template injection to pivot internally and exfiltrate the flag.
- Web ExploitationHard
elements
A periodic-table themed web app with a multi-step server-side vulnerability. Chain SSTI or injection to traverse restricted paths and extract the flag.