Description
A sprawling static site hides the flag somewhere in its source tree. Mirror the entire site and grep for picoCTF.
Setup
Use wget -r -np -k <url> to recursively download the entire site without traversing upward.
Run grep -R picoCTF inside the mirrored directory to locate the flag.
wget -r -np -k http://saturn.picoctf.net:53295/cd saturn.picoctf.net:53295 && grep -R picoCTFgrep -R picoCTF | cut -d ' ' -f3Solution
Want to try it yourself first?
The guided walkthrough reveals hints one step at a time.
Step 1
Mirror everythingObservationI noticed the challenge describes a sprawling static site with no obvious location for the flag, which suggested that downloading the entire site locally with wget and then searching it would be far faster than clicking through each page manually.wget -r -np -krecursively pulls down every linked file (-r), refuses to climb above the starting directory (-np= no-parent), and rewrites links inside the local copy so the mirror is browsable offline (-k). The result is the full /problem directory ready for offline grep.What didn't work first
Tried: Clicking through the site manually in a browser and using View Source on each page.
The site has many pages and the flag is buried in a non-obvious asset like a CSS file. Checking each page by hand would take too long, and View Source only shows one page at a time. Mirroring everything locally with wget lets you search the entire tree in one grep command.
Tried: Running wget without the -np flag, which causes it to crawl upward through the server directory tree.
Without -np (no-parent), wget will follow links that go above the starting URL path, potentially downloading huge amounts of unrelated content or getting stuck in a redirect loop. The -np flag constrains the download to the target directory and below, keeping the mirror focused and manageable.
Learn more
wget is a command-line tool for downloading files and mirroring websites. The flags used here:
-r(recursive download),-np(no-parent, don't traverse above the starting URL), and-k(convert links for local browsing). Together they create a complete local copy of the site's directory tree.This technique is useful when a site has many pages or files - rather than clicking through each one manually, you download everything at once and analyze offline. In real-world web recon, httrack and Scrapy provide similar offline mirroring with more configuration options.
Static sites (no server-side rendering) are particularly amenable to this approach because every file is directly accessible via HTTP. Dynamic sites (React, Next.js, PHP) may not expose source files directly, but their JavaScript bundles, CSS, and API responses can still contain sensitive data worth examining.
Step 2
Search recursivelyObservationI noticed that flags in web challenges are often hidden in CSS or JS comments rather than visible HTML, which suggested usinggrep -R picoCTFacross the entire mirrored directory to cover every file type in one pass.grep -R picoCTFrecursively searches the mirrored tree and surfaces the file containing the flag. A second pass withgrep -hoE 'picoCTF\{[^}]+\}'strips everything except the flag itself.A typical run looks like this:
$ cd saturn.picoctf.net:53295 $ grep -R picoCTF css/style.css:/* picoCTF{1nsp3ti0n_0f_w3bpag3s_8de9...} */ $ grep -RhoE 'picoCTF\{[^}]+\}' . picoCTF{1nsp3ti0n_0f_w3bpag3s_8de9...}-hsuppresses the file name,-oprints only the match,-Eenables the extended regex.What didn't work first
Tried: Searching only the HTML files by running grep on the downloaded index page, and missing the flag in a CSS or JS asset.
Flags in web challenges are commonly hidden in comments inside CSS or JavaScript files rather than in the HTML itself. Grepping a single file or only .html files misses these. The -R flag on the mirrored directory covers every file type at once.
Tried: Using browser DevTools to search page source instead of grepping the mirrored files.
The browser's DevTools Sources panel only shows files that have been loaded during the current page visit. Assets linked from pages you have not navigated to will not appear there. Grepping the full mirrored directory is the only reliable way to search every file without manually visiting each page.
Learn more
grep -R pattern directoryperforms a recursive content search through all files in a directory tree. It's one of the most powerful everyday tools for developers and security researchers alike. The-lflag shows only filenames;-nadds line numbers;-imakes the match case-insensitive.In CTF competitions, flags often appear in comments, JavaScript files, CSS, configuration files, or metadata - places that aren't rendered visibly in a browser. A broad recursive grep covers all of these simultaneously and is far faster than manually checking each page's view-source.
For larger codebases or binary files, ripgrep (
rg) is a faster modern alternative to grep. It respects.gitignorepatterns, handles binary files gracefully, and produces colorized output by default. Both tools are essential for source code review and CTF challenges involving large file sets.
Interactive tools
- Strings ExtractorPull printable text from any binary, library, or image. ASCII and UTF-16 detection, configurable minimum length, flag-like highlight, no command line needed.
Flag
Reveal flag
picoCTF{1nsp3ti0n_0f_w3bpag3s_8de9...}
When in doubt, mirror and grep-many web challenges boil down to hidden strings in source files.