picoCTF Solutions
picoCTF 2024Web ExploitationEasy

IntroToBurp

Published: April 3, 2024Updated: December 9, 2025

Description

Try here to find the flag

Setup

Burp proxy

Launch Burp Suite Community Edition (or your preferred MITM proxy) and its embedded browser.

Browse to the provided URL (http://titan.picoctf.net:<PORT_FROM_INSTANCE>/) through the proxy.

http://titan.picoctf.net:<PORT_FROM_INSTANCE>/

Solution

  1. Step 1Register with dummy data
    Fill out the first form with any values and submit. This leads to the OTP verification page.
  2. Step 2Intercept the OTP submission
    Turn Intercept ON in Burp, enter any OTP, and submit. In the captured request, locate the otp= parameter and remove the value so it reads simply otp=.
    (Intercepted request body) ...&otp=&...
  3. Step 3Forward the tampered request
    Forward the modified request to the server. Because the OTP is blank, the response contains the flag immediately.

Flag

picoCTF{#0TP_Bypvss_SuCc3$S_3e3d...}

Tampering with the OTP parameter yields the flag immediately.