picoCTF Solutions
picoCTF 2022Web ExploitationMedium

Roboto Sans

Published: July 20, 2023Updated: December 9, 2025

Description

Inspect the site’s `/robots.txt`. The developer left Base64-encoded hints pointing to the real flag file.

Setup

Open site

Navigate to `/robots.txt`; it lists disallowed paths plus several Base64 strings.

Decode the strings (e.g., with CyberChef) to learn filenames like `flag1.txt` and `js/myfile.txt`.

Visit the decoded path `js/myfile.txt` to view the flag.

curl -s http://saturn.picoctf.net:55771/robots.txt
echo 'anMvbXlmaWxlLnR4dA==' | base64 -d # yields js/myfile.txt
curl -s http://saturn.picoctf.net:55771/js/myfile.txt

Solution

  1. Step 1Read robots.txt
    The file disallows `/cgi-bin/` and `/wp-admin/`, but more importantly includes encoded clues. Decoding them reveals exact file paths.
  2. Step 2Grab the flag
    Request `http://saturn.picoctf.net:55771/js/myfile.txt`. The response contains the picoCTF flag in plain text.

Flag

picoCTF{Who_D03sN7_L1k5_90B0T5_22ce...}

Robots.txt is frequently a gold mine for hidden endpoints during recon.