picoCTF Solutions
PathPart of the Web Exploitation path · Step 1 of 5: Source Code and Developer Tools
picoCTF 2024Web ExploitationEasy

WebDecode

Published: April 3, 2024

Description

Do you know how to use the web inspector? Start searching here to find the flag

Setup

Browser only

Open the challenge URL in your browser and enable DevTools (Ctrl+Shift+I).

Navigate to the About section where the hint lives.

Solution

  1. Step 1Inspect the element
    Right-click the About header and choose Inspect. In the HTML you'll see an attribute named notify_true with a Base64 blob.
    Learn more

    Developers sometimes hide data in HTML attributes as a quick and dirty way to embed values without displaying them. Custom attributes (anything not in the HTML spec) appear in the page source and DevTools but are invisible to casual readers. The attribute name notify_true is a non-standard attribute - a hint to look more closely at what value it carries.

    HTML data attributes (the official way to embed custom data) use the prefix data-, e.g., data-user-id="42". Non-prefixed custom attributes like notify_true still work in browsers but are technically invalid HTML5. Either way, any value stored there is fully accessible to anyone who views the page source - not a secure storage location.

    • Right-click any element and choose Inspect to jump directly to that element in the DevTools Elements panel.
    • Use Ctrl+F inside the Elements panel to search for notify or base64 patterns across the full DOM.
    • document.querySelector('[notify_true]').getAttribute('notify_true') in the Console tab also extracts the value programmatically.
  2. Step 2Decode the blob
    Copy the string (for example cGljb0NURnt3ZWJfc3VjYzNzc2Z1bGx5X2QzYzBkZWRfMDJjZGNiNTl9) into CyberChef (https://gchq.github.io/CyberChef/) or run base64 -d to reveal the flag.
    echo cGljb0NURnt3ZWJfc3VjYzNzc2Z1bGx5X2QzYzBkZWRfMDJjZGNiNTl9 | base64 -d
    Learn more

    Base64 is an encoding scheme that represents binary data using only 64 ASCII-safe characters (A–Z, a–z, 0–9, +, /). It was originally designed to safely transmit binary data over channels that only support text, such as email. It is not encryption - there is no key, and anyone who sees the encoded string can decode it instantly.

    You can recognize base64 by its characteristics: the character set is limited to alphanumerics plus + and /, the string length is always a multiple of 4 (padded with = signs), and the encoded length is about 33% larger than the original. A string like cGljb0NURn... starting with cGljb0NURn is almost certainly a base64-encoded picoCTF flag (it decodes to picoCTF).

    Common places developers accidentally leave base64-encoded secrets: HTML attributes, JavaScript variables, URL parameters, HTTP response headers, and API responses. Security researchers routinely grep for base64-like strings when reviewing web application source code.

Alternate Solution

Once you copy the Base64 string from the HTML attribute, decode it in one click with the Base64 Decoder on this site. Paste the value and the flag is shown immediately - no terminal or CyberChef needed.

Flag

picoCTF{web_succ3ssfully_d3c0ded_02c...}

Decoding the notify_true attribute reveals the flag above.

Want more picoCTF 2024 writeups?

Browse picoCTF 2024Full library

Tools used in this challenge

Related reading

What to try next