picoCTF Solutions
picoCTF 2022Web ExploitationEasy

Inspect HTML

Published: July 20, 2023Updated: December 9, 2025

Description

An apparently empty blog hides its flag in the HTML comments. All you need to do is look under the hood.

Setup

Open site

Load the supplied URL.

Right-click anywhere on the page and choose “View Page Source” (or use your browser’s developer tools).

Scroll through the markup; the flag is embedded inside an HTML comment.

Solution

  1. Step 1Inspect the markup
    The entire challenge boils down to reading the source. No scripts or network requests are needed beyond Ctrl+U / Cmd+Option+U.
  2. Step 2Copy the flag
    Once you spot the `<!-- picoCTF{...} -->` comment, copy the contents between braces.

Flag

picoCTF{1n5p3t0r_0f_h7ml_1fd84...}

Even simple view-source challenges reinforce the need to hide secrets server-side.