picoCTF Solutions
picoCTF 2024Web ExploitationEasy

Unminify

Published: April 3, 2024

Description

I don't like scrolling down to read the code of my website, so I've squished it. As a bonus, my pages load faster! Browse here, and find the flag!

Setup

View-source

Browse to the provided URL (http://titan.picoctf.net:54777/) and open DevTools.

Alternatively, fetch the HTML with curl and search for `picoCTF{...}`.

Solution

  1. Step 1Inspect the DOM
    In DevTools, right-click the body and choose "Expand recursively". Scroll until you spot the picoCTF{...} string.
    Learn more

    Browser DevTools (opened with F12 or Ctrl+Shift+I) provide a live, structured view of the DOM that is far more readable than raw source. The Elements panel lets you navigate the full HTML tree, search for text, and inspect attributes - even in heavily minified pages where the source is a single long line.

    Minificationcompresses HTML, CSS, and JavaScript by removing whitespace, comments, and shortening variable names to reduce file size and improve load times. It is a performance optimization, not a security measure. The content is identical to the original - it is just harder to read at a glance. The browser's DevTools automatically parse and pretty-print minified code in the Elements panel.

    • Use Ctrl+F in the Elements panel to search for text like picoCTF across the entire DOM tree.
    • The Sources panel has a "Pretty print" button ({}) that reformats minified JS/CSS with proper indentation.
    • View Source (Ctrl+U) shows the raw HTML as served by the server, before JavaScript modifies the DOM.
  2. Step 2One-liner option
    Use curl -s URL | grep -oE 'picoCTF{...}' to print only the flag, even though the HTML is minified.
    curl -s http://titan.picoctf.net:54777/ | grep -oE 'picoCTF{...}' --color=none | cut -d "\"" -f1
    Learn more

    curl -s fetches a URL silently (no progress bar) and prints the response body to stdout. Piping through grep -oE 'picoCTF{.*}' extracts only the matching portion using an extended regex (-E) and prints only the match (-o) rather than the whole line. This makes it a precise one-liner for extracting flags from HTML, even when the entire page is on a single line.

    This pipeline approach is a fundamental CTF and security research skill. Instead of manually reading through thousands of bytes of minified HTML, you let regex do the work. The same pattern applies to searching server responses, log files, and API output for sensitive information during penetration tests.

    cut -d "\"" -f1 at the end trims anything after the first double-quote that might follow the closing brace in the HTML context - a cleanup step to isolate the exact flag string. Real CTF flags are often embedded inside HTML attribute values or JavaScript strings, making such trimming necessary.

Flag

picoCTF{pr3tty_c0d3_743...}

Even minified HTML can't hide a plaintext flag.

Want more picoCTF 2024 writeups?

Browse picoCTF 2024Full library

Useful tools for Web Exploitation

Related reading

What to try next