picoCTF Solutions
picoCTF 2024Web ExploitationEasy

Unminify picoCTF 2024 Solution

Published: April 3, 2024

Description

I don't like scrolling down to read the code of my website, so I've squished it. As a bonus, my pages load faster! Browse here, and find the flag!

Read the technique guide

Setup

View-source

Browse to the provided URL (http://titan.picoctf.net:54777/) and open DevTools.

Alternatively, fetch the HTML with curl and search for picoCTF{...}.

Solution

Walk me through it
  1. Step 1Inspect the DOM
    Open DevTools (F12), focus the Elements panel, and Ctrl+F for picoCTF. The matching node highlights and you can read the flag in place.
    Learn more

    Browser DevTools (opened with F12 or Ctrl+Shift+I) provide a live, structured view of the DOM that is far more readable than raw source. The Elements panel lets you navigate the full HTML tree, search for text, and inspect attributes - even in heavily minified pages where the source is a single long line.

    Minification compresses HTML, CSS, and JavaScript by removing whitespace, comments, and shortening variable names to reduce file size and improve load times. It is a performance optimization, not a security measure. The content is identical to the original - it is just harder to read at a glance. The browser's DevTools automatically parse and pretty-print minified code in the Elements panel.

    • Use Ctrl+F in the Elements panel to search for text like picoCTF across the entire DOM tree.
    • The Sources panel has a "Pretty print" button ({}) that reformats minified JS/CSS with proper indentation.
    • View Source (Ctrl+U) shows the raw HTML as served by the server, before JavaScript modifies the DOM.
  2. Step 2One-liner option
    curl -s fetches the page and grep -oE picks out only the flag substring. The character class [^}]+ matches any flag body up to the first closing brace.
    bash
    curl -s http://titan.picoctf.net:54777/ | grep -oE 'picoCTF\{[^}]+\}'
    Learn more

    curl -s fetches a URL silently (no progress bar) and prints the response body to stdout. Piping through grep -oE 'picoCTF\{[^}]+\}' extracts only the matching portion using an extended regex (-E) and prints only the match (-o) rather than the whole line. The character class [^}]+ matches any character that is not a closing brace, so the pattern stops cleanly at the end of the flag.

    This pipeline approach is a fundamental CTF and security research skill. Instead of manually reading through thousands of bytes of minified HTML, you let regex do the work. The same pattern applies to searching server responses, log files, and API output for sensitive information during penetration tests.

    If you redirect to a file and the output looks garbled with escape codes, add --color=none to grep; that flag suppresses ANSI color sequences, which only matter outside an interactive terminal. Real CTF flags are often embedded inside HTML attribute values or JavaScript strings, so a tighter regex is sometimes needed if multiple matches collide on one line.

Flag

picoCTF{pr3tty_c0d3_743...}

Even minified HTML can't hide a plaintext flag.

Want more picoCTF 2024 writeups?

Browse picoCTF 2024Full library

Useful tools for Web Exploitation

Related reading

What to try next