picoCTF Solutions
PathPart of the Web Exploitation path · Step 1 of 5: Source Code and Developer Tools
picoCTF 2022Web ExploitationEasy

Includes

Published: July 20, 2023

Description

Another static page hides information across the files it includes. Inspect each asset referenced in DevTools to stitch together the full flag.

Setup

Visit challenge

Open the site in your browser and launch the developer tools (F12).

Look under the Sources tab to view index.html, script.js, and style.css.

Each static file reveals part of the flag; concatenate them in order.

Solution

  1. Step 1Collect the CSS portion
    style.css contains the first half of the flag inside a comment.
    Learn more

    CSS comments use the /* ... */ syntax and are stripped by browsers before rendering - they are intended for developer notes and have no visual effect. However, they are fully visible in the stylesheet source, making them a poor hiding place for any sensitive data.

    Browser developer tools (F12) expose every resource a page loads: HTML, CSS, JavaScript, images, fonts, and network requests. The Sources tab shows each file with syntax highlighting; the Network tab shows every HTTP request and response including headers and payloads. Together they give you complete visibility into everything the server sends to the client.

    This is a fundamental principle of web security: anything sent to the client is visible to the client. Sensitive logic (authentication checks, business rules, secret keys) must live server-side. Hiding data in comments, minified code, or obfuscated scripts provides no real protection against an inspector-equipped browser.

  2. Step 2Collect the JS portion
    script.js holds the remaining characters. Join the two strings to form the full picoCTF flag.
    Learn more

    JavaScript comments use // for single-line and /* */ for multi-line, identical to CSS and similar to most C-family languages. Like CSS comments, they are sent to the browser as part of the response and are fully readable in DevTools - or by simply fetching the file with curl or wget.

    Splitting the flag across multiple files adds a small layer of friction - you have to look in two places instead of one. In real security assessments, sensitive data is sometimes split across config files, environment variables, and databases in an attempt to limit exposure if any single file leaks. But when all the pieces are on the same server and served to the same client, the protection is minimal.

    Challenges like this one train the habit of thoroughly reviewing all assets a page loads, not just the HTML. In real web pentesting, JavaScript files frequently contain API keys, internal endpoint URLs, authentication tokens, and developer comments describing security controls or internal architecture.

Flag

picoCTF{1nclu51v17y_1of2_f7w_2of2_6ede...}

Anything sent to the client can be recovered-never trust obscurity inside frontend assets.

Want more picoCTF 2022 writeups?

Browse picoCTF 2022Full library

Useful tools for Web Exploitation

Related reading

What to try next