findme

Description

Solution

1. Step 1Capture the response
   After submitting the test credentials, two id values appear. Highlight them in the Network response pane.
   Learn more

   Browser DevTools Network tabrecords every HTTP request and response made by the page, including XHR/Fetch calls triggered by form submissions. With "Preserve log" enabled, the history persists across page navigations - critical here because the server redirects after login and would otherwise clear the log.

   Clicking on a request in the Network tab reveals four sub-panels: Headers (request/response metadata), Payload (POST body), Preview (formatted response), and Response (raw response body). The id parameters returned by this challenge appear in the response body or redirect URL, depending on the implementation. Inspecting these values is identical to what a real attacker does when probing a login endpoint for information leakage.

   Real-world relevance: APIs sometimes return internal identifiers, session tokens, or other sensitive strings in response bodies that developers intended only for internal use. Tools like Burp Suite automate the capture and replay of these requests for deeper analysis.

   HTTP redirects (status codes 301, 302, 307, 308) are handled automatically by browsers, meaning the intermediate responses are invisible unless you specifically preserve them. This is exactly why "Preserve log" is critical here. In Burp Suite, all intermediate redirect responses are captured automatically in the Proxy history, making it easier to inspect the full chain. Understanding redirect behavior is important for discovering information leakage in authentication flows, OAuth callbacks, and single sign-on implementations.

   The Network tab also reveals timing information, request sizes, and HTTP method used (GET vs POST). When a form submits via POST, the payload panel shows the form fields sent to the server - including hidden fields that don't appear in the visible UI. Hidden form fields are a common place developers inadvertently store sensitive data like internal IDs, tokens, or state values that users aren't supposed to see or modify (but can, since HTML is fully client-controlled).

2. Step 2Decode and concatenate
   Base64-decode each id separately, then join the strings to form the complete picoCTF flag.
   Learn more

   Splitting a secret across multiple fields is a simple obfuscation technique. Each id value decodes to a fragment of the flag; concatenating them in order reconstructs the full string. This mirrors how real applications sometimes split tokens across multiple cookies or headers - a pattern that can leak partial secrets even when individual components look innocuous.

   To decode Base64 in the terminal: echo 'cGlj...' | base64 --decode. In Python: import base64; base64.b64decode('cGlj...').decode(). CyberChef's "From Base64" operation handles it visually. Remember that Base64 strings always have a length that is a multiple of 4; padding =characters fill gaps when the input length isn't divisible by 3.

   The broader lesson: never treat Base64 as a security measure. It is transparent encoding, not encryption. Treat any Base64 data found during reconnaissance as plaintext that simply needs one decoding step.

   Recognizing Base64 on sight is a useful habit. Base64 strings use the characters A-Z, a-z, 0-9, +, and /, and are padded with = to make the total length a multiple of 4. URL-safe Base64 replaces + with - and / with _ to avoid conflicts with URL syntax. If you see a long string of alphanumerics ending in one or two = characters, Base64 is almost always the right first guess.

   Splitting secrets across multiple fields or responses is a simple obfuscation pattern that can also appear in malware command-and-control (C2) communications. A C2 server might return a multi-part command spread across multiple HTTP responses, each looking innocuous on its own, to evade pattern-based network detection. Reassembling and decoding these fragments is a standard malware analysis task. The skills developed in this challenge - capturing all responses, extracting and joining fragments, then decoding - map directly to real incident response work.

Alternate Solution

Flag

picoCTF{prox...bae9a}

The fragments must be concatenated before submitting.