picoCTF Solutions
PathPart of the Web Exploitation path · Step 1 of 5: Source Code and Developer Tools
picoCTF 2022Web ExploitationEasy

Inspect HTML

Published: July 20, 2023

Description

An apparently empty blog hides its flag in the HTML comments. All you need to do is look under the hood.

Setup

Open site

Load the supplied URL.

Right-click anywhere on the page and choose "View Page Source" (or use your browser's developer tools).

Scroll through the markup; the flag is embedded inside an HTML comment.

Solution

  1. Step 1Inspect the markup
    The entire challenge boils down to reading the source. No scripts or network requests are needed beyond Ctrl+U / Cmd+Option+U.
    Learn more

    HTML comments use the syntax <!-- comment --> and are completely ignored by the browser renderer - they produce no visible output on the page. However, they are sent to the client as part of the HTML response and are plainly visible in the page source. They were historically used to hide JavaScript from old browsers that didn't understand <script> tags, but that workaround became obsolete in the late 1990s.

    View Page Source (Ctrl+U / Cmd+Option+U) shows the raw HTML exactly as the server sent it, before JavaScript has a chance to modify the DOM. This is distinct from the Elements panel in DevTools, which shows the live DOM after JavaScript execution. For finding content hidden in the original HTML - like comments - View Source is the right tool.

    In real security audits, HTML comments are routinely inspected for developer notes, internal paths, software version strings, API endpoints, and accidentally left-in credentials. Automated scanners specifically check for comments, and it's standard practice to strip them from production HTML responses using minification tools before deployment.

  2. Step 2Copy the flag
    Once you spot the `<!-- picoCTF{...} -->` comment, copy the contents between braces.
    Learn more

    Finding the flag in the source is the entire challenge - no decoding or further analysis needed. This is intentional: the goal is to teach the habit of checking page source before assuming a page has no hidden content. Many real-world secrets have been discovered this way, including internal API documentation URLs, debug endpoints, and staging environment credentials.

    If you prefer the command line, curl -s URL | grep '<!--' extracts all comment lines from an HTML page without opening a browser. This approach scales well when you need to check many pages programmatically, and is the basis of automated web scraping and security scanning tools.

Flag

picoCTF{1n5p3t0r_0f_h7ml_1fd84...}

Even simple view-source challenges reinforce the need to hide secrets server-side.

Want more picoCTF 2022 writeups?

Browse picoCTF 2022Full library

Useful tools for Web Exploitation

Related reading

What to try next