Pachinko

Description

Solution

1. Step 1Interact with the exhibit
   Open the provided website in your browser (or via curl if you prefer) and start clicking the "Submit Circuit" button. Each submission logs a faux success response and occasionally rewards you with a special message.
   Learn more

   Many web challenges implement probabilistic or counter-based reward logic server-side. The server may award a flag after a fixed number of submissions, at random with a certain probability, or when some hidden internal state is reached. Reading the server source (when available) lets you understand exactly which condition triggers the reward rather than clicking blindly.

   When source isn't available, browser DevTools are your best friend. The Network tab records every HTTP request and response, including the full JSON body. This means even if a toast notification disappears before you can read it, the raw response is captured and remains inspectable in the Network panel indefinitely.

   For challenges that require repeated interactions, curl in a shell loop is far faster than clicking manually. A one-liner like for i in $(seq 1 100); do curl -s -X POST <url>; done can replay a request many times quickly to trigger probabilistic conditions.

2. Step 2Watch the network tab
   Even if you close the toast notification too quickly, the Network panel shows every POST response. Look for the one where the JSON payload includes the picoCTF flag.
   Learn more

   The browser Network panel (accessible via F12 or right-click → Inspect) is one of the most powerful tools in web security research. It captures all HTTP/HTTPS traffic between the browser and server, including request headers, cookies, request bodies, response status codes, response headers, and full response bodies - even for requests that completed instantly.

   Clicking on any entry in the Network panel reveals a detail view with tabs for Headers, Payload, Preview, Response, Timing, and (for WebSocket connections) Messages. The Response tab shows the raw server response, making it possible to recover flag strings from dynamically generated content that was only briefly visible in the UI.

   For automated analysis, tools like Burp Suite or mitmproxy act as intercepting proxies between your browser and the server, logging every exchange with search and filter capabilities. These are standard tools in web penetration testing and are particularly useful when the flag appears in a response header or a non-displayed JSON field rather than in visible page content.

3. Step 3Record flag one
   Once the pop-up finally includes `picoCTF{...}`, copy that value. That's flag one for Pachinko. Flag two appears only in the follow-up challenge, Pachinko Revisited.
   Learn more

   Multi-flag challenges are common in CTF competitions and mirror real-world multi-stage attack chains. Each flag typically unlocks the next phase of investigation, ensuring players understand each concept before moving on. In Pachinko, flag one demonstrates understanding of web interactions and response monitoring, while the revisited challenge presumably requires deeper source analysis or a different exploit vector.

   Keeping detailed notes during CTF challenges is valuable practice - writing down every endpoint you discover, every unusual response, and every hypothesis you explore. Many experienced CTF players maintain a structured notes file per challenge and share it afterward as a writeup, contributing to the community knowledge base. Writeup repositories on GitHub are often more detailed than official solutions and frequently reveal elegant alternative approaches.

Flag

picoCTF{p4ch1nk0_f146_0n3_e947...}

There's no trick. The site randomly decides when to hand you the flag, and keeping the browser devtools open prevents you from missing it.