Description
The Pachinko exhibit hides two separate artifacts; this page covers flag one. Explore the website, submit circuits until the curators finally acknowledge you, and capture the flag that appears in the success toast.
Launch the instance to obtain your personalized website URL and port.
Optionally pull the provided server.tar.gz to inspect the frontend code, although it is not required for flag one.
Browse to the site and locate the "Submit Circuit" interaction.
wget https://challenge-files.picoctf.net/c_activist_birds/7eac27979c12e4bd449f03e40a8492044221b7d2a96ac85f1150e30983c56eac/server.tar.gztar -xvf server.tar.gzSolution
Walk me through it- Step 1Submit circuits and watch the network panelOpen DevTools > Network before clicking anything (closing DevTools or refreshing wipes the panel). Each "Submit Circuit" click POSTs JSON; on the order of 1 in 100 to 1 in 1000 submissions returns the flag, so a curl loop with a few hundred iterations is faster than clicking. A failed POST returns a payload like
{"result":"You missed!"}; a winning POST containspicoCTF{...}.bash# Capture headers from one real submit (DevTools > right-click > Copy > Copy as cURL), # then fire many requests with timeout + retry + explicit success check: for i in $(seq 1 500); do body=$(curl -s --max-time 5 --retry 2 -X POST https://<host>/submit \ -H 'Content-Type: application/json' -d '{}') echo "$body" | grep -ao 'picoCTF{[^}]*}' && break doneLearn more
Many web challenges implement probabilistic or counter-based reward logic server-side. The server may award a flag after a fixed number of submissions, at random with a certain probability, or when some hidden internal state is reached. Reading the server source (when available) lets you understand exactly which condition triggers the reward rather than clicking blindly.
When source isn't available, browser DevTools are your best friend. The Network tab records every HTTP request and response, including the full JSON body. The capture is tab-scoped and tab-lifetime: closing DevTools clears the panel, refreshing the page clears it, and navigating away clears it. Keep DevTools docked open from the moment you start testing so nothing slips past.
For challenges that require repeated interactions,
curlin a shell loop is far faster than clicking manually. Always set--max-timeper request and check the response body for an explicit success substring (here,picoCTF{) so the loop terminates as soon as a flag arrives instead of running to completion. - Step 2Replay from the consoleIf you want to keep clicking through the real UI but speed it up, paste a fetch loop into the DevTools Console. Use the same fetch shape DevTools shows under "Copy as fetch" so cookies and CSRF headers are preserved.js
// In DevTools Console, after at least one real submit: for (let i = 0; i < 500; i++) { const r = await fetch('/submit', { method: 'POST' }); const t = await r.text(); if (t.includes('picoCTF{')) { console.log(t); break; } }Learn more
The browser Network panel (accessible via F12 or right-click then Inspect) is one of the most powerful tools in web security research. It captures all HTTP/HTTPS traffic between the browser and server, including request headers, cookies, request bodies, response status codes, response headers, and full response bodies, even for requests that completed instantly.
Clicking on any entry in the Network panel reveals a detail view with tabs for Headers, Payload, Preview, Response, Timing, and (for WebSocket connections) Messages. The Response tab shows the raw server response, making it possible to recover flag strings from dynamically generated content that was only briefly visible in the UI.
For automated analysis, tools like Burp Suite or mitmproxy act as intercepting proxies between your browser and the server, logging every exchange with search and filter capabilities. These are standard tools in web penetration testing and are particularly useful when the flag appears in a response header or a non-displayed JSON field rather than in visible page content.
- Step 3Record flag oneOnce the pop-up finally includes
picoCTF{...}, copy that value. That's flag one for Pachinko. Flag two appears only in the follow-up challenge, Pachinko Revisited.Learn more
Multi-flag challenges are common in CTF competitions and mirror real-world multi-stage attack chains. Each flag typically unlocks the next phase of investigation, ensuring players understand each concept before moving on. In Pachinko, flag one demonstrates understanding of web interactions and response monitoring, while the revisited challenge presumably requires deeper source analysis or a different exploit vector.
Keeping detailed notes during CTF challenges is valuable practice - writing down every endpoint you discover, every unusual response, and every hypothesis you explore. Many experienced CTF players maintain a structured notes file per challenge and share it afterward as a writeup, contributing to the community knowledge base. Writeup repositories on GitHub are often more detailed than official solutions and frequently reveal elegant alternative approaches.
Flag
picoCTF{p4ch1nk0_f146_0n3_e947...}
There's no trick. The site randomly decides when to hand you the flag, and keeping the browser devtools open prevents you from missing it.