picoCTF Solutions
picoCTF 2026Reverse EngineeringMedium

The Add/On Trap

Published: March 20, 2026

Description

What kind of information can an Add/On reach? Is it possible to exfiltrate them without you noticing? Download the browser extension suspicious.zip (password: picoctf) and inspect it to uncover the hidden flag.

Setup

Download suspicious.zip

Download suspicious.zip and extract it using the password 'picoctf'.

Inspect all the extension files for hidden data.

unzip -P picoctf suspicious.zip
ls -la

Solution

  1. Step 1Extract the extension
    Unzip suspicious.zip with the provided password. Browser extensions (.crx, .xpi, .zip) are just ZIP archives. If a CRX header is present the script strips it before extracting.
    unzip -P picoctf suspicious.zip
    ls -la
  2. Step 2Inspect manifest.json
    Read the manifest to understand permissions, content scripts, background pages, and web-accessible resources. The flag or an encoded form of it may appear directly in the manifest.
    cat manifest.json | python3 -m json.tool
    grep -i 'picoCTF\|flag\|secret' manifest.json
  3. Step 3Search all JS files for the flag and encoded data
    Grep every file for the flag pattern, then look for obfuscated forms: base64 strings, hex escape sequences (\xNN), String.fromCharCode arrays, and XOR-encoded arrays. Also check for suspicious network calls (fetch, XMLHttpRequest, sendBeacon) that might exfiltrate data.
    grep -r 'picoCTF' .
    grep -rE '[A-Za-z0-9+/]{20,}={0,2}' . --include='*.js'
    grep -rE '(\\x[0-9a-f]{2}){4,}' . --include='*.js'
    grep -r 'String.fromCharCode' . --include='*.js'
    grep -rE '(fetch|XMLHttpRequest|sendBeacon|navigator\.sendBeacon)' . --include='*.js'
  4. Step 4Decode obfuscated strings
    Decode any encoded strings found. Common techniques in malicious extensions: base64, hex escape sequences, charcode arrays, and XOR with a hardcoded key.
    # Decode base64:
    echo '<base64_string>' | base64 -d
    # Decode hex array:
    python3 -c "print(bytes.fromhex('<hex_string>').decode())"
    # Decode charcode array:
    python3 -c "print(''.join(chr(c) for c in [<codes>]))"
    # Decode XOR array with key:
    python3 -c "key=b'<key>'; data=[<bytes>]; print(''.join(chr(b^key[i%len(key)]) for i,b in enumerate(data)))"

Flag

picoCTF{4dd_0n_tr4p_...}

Extract the .zip extension, search all JS files for picoCTF directly, then look for encoded forms: base64 strings, \x hex escapes, String.fromCharCode arrays, or XOR-encoded byte arrays. The flag is hidden in the extension's JavaScript source.