picoCTF Solutions
picoMini by CMU-AfricaWeb ExploitationEasy

Crack the Gate 1

Published: April 2, 2026

Description

A login portal guards access to `ctf-player@picoctf.org`. The developer left something helpful in the HTML source - can you spot it?

Setup

Open the login page and view the HTML source.

Look for a developer comment - it is ROT13-encoded.

Solution

  1. Step 1Find and decode the hidden comment
    View the page source and locate the ROT13-encoded HTML comment. Decode it with tr or an online ROT13 tool. The comment reveals a custom HTTP header that bypasses authentication.
    echo 'ABGR: Wnpx - grzcbenel olcnff: hfr urnqre K-Qri-Npprff: lrf' | tr 'A-Za-z' 'N-ZA-Mn-za-m'
    Learn more

    ROT13 (rotate 13) is a simple substitution cipher that shifts each letter forward 13 positions in the alphabet. Because the alphabet has 26 letters, applying ROT13 twice returns the original text - encoding and decoding use the same operation. It is not a security mechanism; it is used to obscure text from casual reading (like spoiler tags on forums).

    HTML comments (<!-- ... -->) are sent to every browser that requests the page - they are visible to anyone who uses "View Source" or browser developer tools. Developers sometimes leave backdoor notes, API keys, internal URLs, or debug instructions in comments, assuming they are invisible because they don't render visually. This is a very common finding in bug bounty hunting.

    The tr command translates (replaces) characters. The pattern tr 'A-Za-z' 'N-ZA-Mn-za-m' maps each letter to its ROT13 equivalent - A becomes N, B becomes O, and so on, wrapping around at Z. This is a standard one-liner for quick ROT13 decoding in the terminal.

  2. Step 2Send the login request with the bypass header
    The decoded message says to include the header 'X-Dev-Access: yes'. Send the login POST request with this header added - authentication is bypassed and the flag is returned.
    curl -X POST https://<host>/login -H 'X-Dev-Access: yes' -d 'email=ctf-player@picoctf.org&password=anything'
    Learn more

    Custom HTTP headers like X-Dev-Access are non-standard headers that applications sometimes use for internal communication, feature flags, or - as in this case - poorly implemented developer shortcuts. HTTP headers can be set to any arbitrary value by the client, so any authentication logic that trusts a client-supplied header without cryptographic verification is bypassed trivially.

    This class of vulnerability appears in real-world applications as "debug modes," "admin bypass headers," or internal IP allowlisting that trusts X-Forwarded-For. The lesson is that the server can never trust any input from the client - headers, cookies, POST body, and URL parameters are all fully controlled by the person making the request.

    curl -H adds a custom header to the request. -X POST changes the HTTP method, and -d sends URL-encoded form data in the request body. These three flags together replicate what a browser sends when you click a login button, while adding the extra bypass header the server is secretly checking for.

Flag

picoCTF{...}

ROT13-encoding a backdoor comment provides zero real security - it&apos;s sent to every visitor and decodes in seconds.

Want more picoMini by CMU-Africa writeups?

Browse picoMini by CMU-AfricaFull library

Useful tools for Web Exploitation

More Web Exploitation