picoCTF Solutions
picoCTF 2022Web ExploitationEasy

Includes

Published: July 20, 2023Updated: December 9, 2025

Description

Another static page hides information across the files it includes. Inspect each asset referenced in DevTools to stitch together the full flag.

Setup

Visit challenge

Open the site in your browser and launch the developer tools (F12).

Look under the Sources tab to view index.html, script.js, and style.css.

Each static file reveals part of the flag; concatenate them in order.

Solution

  1. Step 1Collect the CSS portion
    style.css contains the first half of the flag inside a comment.
  2. Step 2Collect the JS portion
    script.js holds the remaining characters. Join the two strings to form the full picoCTF flag.

Flag

picoCTF{1nclu51v17y_1of2_f7w_2of2_6ede...}

Anything sent to the client can be recovered-never trust obscurity inside frontend assets.