picoCTF
Roboto Sans [200 pts]
Challenge Description:
The flag is somewhere on this web application not necessarily on the website. Find it.
Check this out.
After exploring a little bit through the website files, I found nothing to indicate a possible flag. Given the name of the challenge, Roboto Sans, and its description, “The flag is somewhere on this web application not necessarily on the website,” I figured checking the robots.txt file might be worth a shot.
In short, the robots.txt file is a file that allows or prohibits website crawlers from accessing a website’s URLs. Essentially, this can allow websites to prevent certain web pages from showing up in search engine results.
Check http://saturn.picoctf.net:63195/robots.txt, which will show the following:
User-agent *
Disallow: /cgi-bin/
Think you have seen your flag or want to keep looking.
ZmxhZzEudHh0;anMvbXlmaW
anMvbXlmaWxlLnR4dA==
svssshjweuiwl;oiho.bsvdaslejg
Disallow: /wp-admin/
Some of it appears to be base64 encoded. Let’s try to decode it using an online tool.
It should return the following:
flag1.txtjs/myfi
js/myfile.txt
Eventually, checking http://saturn.picoctf.net:63195/js/myfile.txt should return the flag
picoCTF{Who_D03sN7_L1k5_90B0T5_22ce1f22}