Description
Multiple nested directories hide the real flag page. Mirror the site or manually enumerate /secret/hidden/superhidden/ until you discover the correct HTML.
Setup
Recursively download the site (wget -m http://saturn.picoctf.net:53932/) or probe the directories manually.
Follow the hints (/secret, /secret/hidden, /secret/hidden/superhidden) until you land on the flag page.
wget -m http://saturn.picoctf.net:53932/curl -s http://saturn.picoctf.net:53932/secret/hidden/superhidden/grep -oE "picoCTF\{.*?\}" --color=noneSolution
Want to try it yourself first?
The guided walkthrough reveals hints one step at a time.
Step 1
Mirror or crawlObservationI noticed the challenge description referenced nested directories (/secret, /secret/hidden, /secret/hidden/superhidden), which suggested the flag was hidden at a deeper path than what the homepage links directly and that recursively mirroring or crawling the site would be the most reliable way to discover all layers.Usingwget -mpulls down every referenced directory so you can explore offline. Alternatively, use curl to fetch each nested folder live.What didn't work first
Tried: Clicking through the visible links on the homepage and giving up when no flag appears.
The homepage only links to the first hidden directory, not the deeper layers. A beginner might think they have explored the whole site after one or two clicks. The correct approach is to follow every link at each layer until you reach the deepest directory.
Tried: Checking robots.txt and sitemap.xml and stopping there when neither file reveals the full nested path.
robots.txt may or may not disclose the nested directories in this challenge. Relying on it alone means missing paths the server never told crawlers to avoid. The reliable approach is to mirror the site with wget or manually probe each directory level listed in the page links.
Learn more
Directory enumeration is the process of discovering hidden or unlisted paths on a web server. Servers often host files in directories that aren't linked from any page - they're accessible if you know the path, but invisible to normal browsing. This is called security through obscurity, and it's not a valid security control.
wget -m(mirror mode) is equivalent towget -r -N -l inf --no-remove-listing- it recursively downloads everything, preserves timestamps, and follows all links it finds. This is ideal for capturing the full structure of a static site.In professional web application testing, directory brute-forcing with tools like gobuster, ffuf, or dirbuster uses wordlists containing thousands of common path names (
admin,backup,secret,api, etc.) to systematically probe for unlisted endpoints.Another quick recon step is checking robots.txt (e.g.,
http://target.com/robots.txt) and sitemap.xml. Robots.txt tells search engine crawlers which paths not to index - and ironically, theDisallowentries are often a direct map of the most interesting directories on the site. Real-world examples include admin panels, staging environments, and internal API endpoints accidentally disclosed in production robots.txt files.Web archive services like the Wayback Machine (web.archive.org) are also valuable: even if a developer removed a sensitive directory, old snapshots may reveal its existence and contents. During bug bounty reconnaissance, combining current directory brute-forcing with historical archive inspection significantly broadens the attack surface you can identify.
Step 2
Extract the flagObservationI noticed the deepest directory (/secret/hidden/superhidden/) rendered a visually blank page, which suggested the flag text was hidden via CSS styling (white text on white background) and that viewing page source or using grep would bypass the visual concealment.Once you reach/secret/hidden/superhidden/, the flag is present in the HTML but rendered in white text on a white background, invisible at first glance. Use Ctrl+A (select all) to reveal it, or view the page source and grep forpicoCTF{...}directly.What didn't work first
Tried: Staring at the page and concluding there is no flag because the page looks blank.
The flag text is styled white on a white background, so it is invisible without selecting it or viewing the source. Pressing Ctrl+A to select all text will highlight it and make it visible, or viewing the page source bypasses the CSS styling entirely.
Tried: Opening DevTools and inspecting the Elements panel expecting to see the flag text clearly labeled.
The Elements panel shows the live DOM and applies CSS - the text still appears as the same white color in the inspector unless you examine the computed style or look at the raw source. Viewing the page source with Ctrl+U or running curl and grepping for picoCTF is faster and avoids the CSS confusion.
Learn more
The layered nesting (
/secret/hidden/superhidden/) illustrates how developers sometimes try to hide pages by using obscure directory names rather than implementing proper authentication. Each layer provides no additional security - if you know the path exists, HTTP will serve it to anyone.HTTP directory listing is another related vulnerability: when a web server is configured to show the contents of a directory (because there's no
index.html), it automatically exposes all files in that path to any visitor. Always check for open directory listings during web recon - they're a fast way to discover interesting files.Proper access control means requiring authentication (login, API key, session token) before serving sensitive resources - not relying on paths being unknown. Authenticated endpoints return 401 or 403 to unauthenticated requests regardless of whether the path is guessed or linked.
When checking for directory listing, look for the telltale "Index of /" title in the page response. A quick
curl -s http://target/ | grep -i "index of"identifies open listings automatically. Automated tools likeniktoalso flag open directory listings as part of their standard scan output.This challenge is a good reminder that the OWASP category Security Misconfiguration (A05 in the OWASP Top 10 2021) covers a wide range of issues including open directory listings, unnecessary features enabled, default credentials, and verbose error messages. Misconfiguration is consistently one of the most prevalent web vulnerabilities because it requires active hardening - the insecure state is often the out-of-the-box default.
Flag
Reveal flag
picoCTF{succ3ss_@h3n1c@10n_51b2...}
robots.txt or site mirroring often reveals “hidden” directories with ease.