Search source picoCTF 2022 Solution

Published: July 20, 2023

Description

A sprawling static site hides the flag somewhere in its source tree. Mirror the entire site and grep for picoCTF.

Use wget -r -np -k <url> to recursively download the entire site without traversing upward.

Run grep -R picoCTF inside the mirrored directory to locate the flag.

bash
wget -r -np -k http://saturn.picoctf.net:53295/
bash
cd saturn.picoctf.net:53295 && grep -R picoCTF
bash
grep -R picoCTF | cut -d ' ' -f3

Solution

Want to try it yourself first?

The guided walkthrough reveals hints one step at a time.

Walk me through it
  1. Step 1
    Mirror everything
    Observation
    I noticed the challenge describes a sprawling static site with no obvious location for the flag, which suggested that downloading the entire site locally with wget and then searching it would be far faster than clicking through each page manually.
    wget -r -np -k recursively pulls down every linked file (-r), refuses to climb above the starting directory (-np = no-parent), and rewrites links inside the local copy so the mirror is browsable offline (-k). The result is the full /problem directory ready for offline grep.
    What didn't work first

    Tried: Clicking through the site manually in a browser and using View Source on each page.

    The site has many pages and the flag is buried in a non-obvious asset like a CSS file. Checking each page by hand would take too long, and View Source only shows one page at a time. Mirroring everything locally with wget lets you search the entire tree in one grep command.

    Tried: Running wget without the -np flag, which causes it to crawl upward through the server directory tree.

    Without -np (no-parent), wget will follow links that go above the starting URL path, potentially downloading huge amounts of unrelated content or getting stuck in a redirect loop. The -np flag constrains the download to the target directory and below, keeping the mirror focused and manageable.

    Learn more

    wget is a command-line tool for downloading files and mirroring websites. The flags used here: -r (recursive download), -np (no-parent, don't traverse above the starting URL), and -k(convert links for local browsing). Together they create a complete local copy of the site's directory tree.

    This technique is useful when a site has many pages or files - rather than clicking through each one manually, you download everything at once and analyze offline. In real-world web recon, httrack and Scrapy provide similar offline mirroring with more configuration options.

    Static sites (no server-side rendering) are particularly amenable to this approach because every file is directly accessible via HTTP. Dynamic sites (React, Next.js, PHP) may not expose source files directly, but their JavaScript bundles, CSS, and API responses can still contain sensitive data worth examining.

  2. Step 2
    Search recursively
    Observation
    I noticed that flags in web challenges are often hidden in CSS or JS comments rather than visible HTML, which suggested using grep -R picoCTF across the entire mirrored directory to cover every file type in one pass.
    grep -R picoCTF recursively searches the mirrored tree and surfaces the file containing the flag. A second pass with grep -hoE 'picoCTF\{[^}]+\}' strips everything except the flag itself.

    A typical run looks like this:

    $ cd saturn.picoctf.net:53295
    $ grep -R picoCTF
    css/style.css:/* picoCTF{1nsp3ti0n_0f_w3bpag3s_8de9...} */
    
    $ grep -RhoE 'picoCTF\{[^}]+\}' .
    picoCTF{1nsp3ti0n_0f_w3bpag3s_8de9...}

    -h suppresses the file name, -o prints only the match, -E enables the extended regex.

    What didn't work first

    Tried: Searching only the HTML files by running grep on the downloaded index page, and missing the flag in a CSS or JS asset.

    Flags in web challenges are commonly hidden in comments inside CSS or JavaScript files rather than in the HTML itself. Grepping a single file or only .html files misses these. The -R flag on the mirrored directory covers every file type at once.

    Tried: Using browser DevTools to search page source instead of grepping the mirrored files.

    The browser's DevTools Sources panel only shows files that have been loaded during the current page visit. Assets linked from pages you have not navigated to will not appear there. Grepping the full mirrored directory is the only reliable way to search every file without manually visiting each page.

    Learn more

    grep -R pattern directory performs a recursive content search through all files in a directory tree. It's one of the most powerful everyday tools for developers and security researchers alike. The -l flag shows only filenames; -n adds line numbers; -i makes the match case-insensitive.

    In CTF competitions, flags often appear in comments, JavaScript files, CSS, configuration files, or metadata - places that aren't rendered visibly in a browser. A broad recursive grep covers all of these simultaneously and is far faster than manually checking each page's view-source.

    For larger codebases or binary files, ripgrep (rg) is a faster modern alternative to grep. It respects .gitignore patterns, handles binary files gracefully, and produces colorized output by default. Both tools are essential for source code review and CTF challenges involving large file sets.

Interactive tools
  • Strings ExtractorPull printable text from any binary, library, or image. ASCII and UTF-16 detection, configurable minimum length, flag-like highlight, no command line needed.

Flag

Reveal flag

picoCTF{1nsp3ti0n_0f_w3bpag3s_8de9...}

When in doubt, mirror and grep-many web challenges boil down to hidden strings in source files.

Key takeaway

Web assets delivered to the browser, including HTML, CSS, JavaScript, and image metadata, are fully readable by anyone who requests them regardless of how they appear visually. Developers sometimes embed credentials, API keys, internal paths, or flags in comments, unused variables, or minified bundles under the mistaken assumption that obscurity provides protection. Recursive site mirroring combined with grep is a standard reconnaissance step in web penetration testing, and automated scanners like truffleHog and gitleaks apply the same principle at scale to source repositories.

Related reading

Want more picoCTF 2022 writeups?

Useful tools for Web Exploitation

What to try next