Description
Inspect the site's /robots.txt. The developer left Base64-encoded hints pointing to the real flag file.
Setup
Open the site in your browser and have curl/CyberChef ready for inspecting and decoding the response.
curl -s http://saturn.picoctf.net:55771/robots.txtSolution
Want to try it yourself first?
The guided walkthrough reveals hints one step at a time.
Step 1
Read robots.txtObservationThe challenge name 'Roboto Sans' is a direct pun on robots.txt, and the description mentioned the developer left hints in that file, which suggested checking the site's /robots.txt as the first step to uncover any hidden or disallowed paths.robots.txt is a plain-text directive file with three main fields:User-agent(which crawlers a rule applies to),Allow, andDisallow(paths to skip). This site lists encoded strings alongside the disallow rules. Decoding them reveals exact file paths.The Base64 string
anMvbXlmaWxlLnR4dA==shows up among the disallows. Decode it inline:$ echo 'anMvbXlmaWxlLnR4dA==' | base64 -d js/myfile.txtThat path is the next stop.
What didn't work first
Tried: Trying to decode the robots.txt entries as URL encoding (%xx) or hex instead of Base64.
The strings like anMvbXlmaWxlLnR4dA== contain only A-Z, a-z, 0-9, and = padding - classic Base64 characters. URL-decoding them yields garbled output because percent signs are absent. Spotting the = padding and the restricted character set identifies Base64 immediately.
Tried: Browsing directly to /disallow or the raw encoded string as a URL path instead of decoding it first.
The encoded value anMvbXlmaWxlLnR4dA== is not itself a valid path - the server returns a 404. The path is hidden inside the encoding, so it must be decoded with base64 -d (or CyberChef) to reveal js/myfile.txt before making the second request.
Learn more
robots.txt is a plain-text file at the root of a website that instructs web crawlers (like Googlebot) which paths to avoid indexing. It follows the Robots Exclusion Protocol - an informal standard, not a security mechanism. Any browser or script can freely access
Disallow-listed paths; the file is merely a polite request to well-behaved bots.In penetration testing and CTF recon,
robots.txtis one of the first files to check. Developers often list sensitive paths (admin panels, backup files, API endpoints) to prevent them from appearing in search results - inadvertently advertising exactly what they're trying to hide. It's essentially a roadmap of interesting endpoints.Common paths worth checking:
/admin,/backup,/.git,/config,/api, and anything a developer would want to hide from search engines. Automated tools like dirbuster, gobuster, and ffuf combine robots.txt analysis with dictionary-based path brute-forcing.Step 2
Grab the flagObservationI noticed that decoding the Base64 string 'anMvbXlmaWxlLnR4dA==' from the Disallow entry produced the path 'js/myfile.txt', which suggested requesting that URL directly would reveal the flag stored there.Requesthttp://saturn.picoctf.net:55771/js/myfile.txt. The response contains the picoCTF flag in plain text.Learn more
Base64 is an encoding scheme that converts binary or arbitrary data into a set of 64 printable ASCII characters. It's not encryption - it has no key and is trivially reversible. Its purpose is data transport (e.g., email attachments, embedding binary in JSON), not confidentiality.
Spotting Base64 in the wild: strings are typically a multiple of 4 characters long, use only
A-Z,a-z,0-9,+, and/, and often end with one or two=padding characters. The commandecho 'string' | base64 -ddecodes on Linux; CyberChef provides the same with a visual interface.In this challenge, Base64 was used to slightly obscure file paths - but obscurity is not security. Any attacker who reads
robots.txtwill immediately recognize and decode the strings. Real security requires proper access controls (authentication, authorization), not encoding tricks.
Flag
Reveal flag
picoCTF{Who_D03sN7_L1k5_90B0T5_22ce...}
Robots.txt is frequently a gold mine for hidden endpoints during recon.