picoCTF Web Exploitation Guide

here's how to solve Scavenger Hunt

Back to the Web Exploitation Guides

Scavenger Hunt

Name: Scavenger Hunt
Description: There is some interesting information hidden around this site http://mercury.picoctf.net:55079/. Can you find it?
Author: madStacks
Tags: Easy, Web Exploitation, picoCTF 2021
Challenge from: picoCTF 2021
Hints:
1. You should have enough hints to find the files, don't run a brute forcer.

Theory

According to the description, to get the flag we have to find some info, we could go look at the website and if there's nothing in there, then we could go to the view source with Ctrl+U or right click.

Solution

So we'll open the website:

Yup, nothing here, let's go to the view source:

Okay, we have the first part of the password, and two outlinks, let's go to that css file, that is usually used for styling an HTML page:

http://mercury.picoctf.net:55079/mycss.css
...

#tabintro { background-color: #ccc; }
#tababout { background-color: #ccc; }

/* CSS makes the page look nice, and yes, it also has part of the flag. Here's part 2: h4ts_4_l0 */

Great, the second part, now let's see the js file, which is normally used for JavaScript code to run in the website:

http://mercury.picoctf.net:55079/myjs.js
...

window.onload = function() {
    openTab('tabintro', this, '#222');
}

/* How can I keep Google from indexing my website? */

Huh, it isn't here, but there's a clue. This might be referring to the Robots.txt text file, which is used by website makers to instruct web crawlers (robots taking site information to match searches) like google and other search engines what to get or not to level out traffic in your website. So let's go to the robots.txt file in the server and check if we're right about this:

http://mercury.picoctf.net:55079/robots.txt
User-agent: *
Disallow: /index.html
# Part 3: t_0f_pl4c
# I think this is an apache server... can you Access the next flag?

There we go, a third part of the flag, and now we get another clue into where the next part might be. This is probably referring to the .htaccess file, which is a configuration file for Apache servers, that usually contains error page stuff, redirects, indexes, and other website settings. And it's also heavily implied by capitalizing the "Access" word in the hint. So let's go to the .htaccess file in the server and check if we're right about this:

http://mercury.picoctf.net:55079/.htaccess
# Part 4: 3s_2_lO0k
# I love making websites on my Mac, I can Store a lot of information there.

Really there's more?! Oh well. Now it's telling us that they're using a Mac to manage this website. And if you know anything about transfering folders between Macs and different operating systems, it's always so annoying, because they create information files for each file, just adding a ._ before the file name to store file icons or whatever metadata, and this one .DS_Store file that has info about the current folder. And now that we know that, it seems pretty obvious that it's that .DS_Store, again heavily implied by the word "Store" having the first letter capitalized. So let's go to the .DS_Store file in the server and check if we're right about this

http://mercury.picoctf.net:55079/.DS_Store
Congrats! You completed the scavenger hunt. Part 5: _74cceb07}

And if we copy all the parts and reassemble all of them back in the order we got it, we get this:

picoCTF{th4ts_4_l0t_0f_pl4c3s_2_lO0k_74cceb07}

There we go! That's the flag.

I rated this level as "not good"! :(

https://play.picoctf.org/practice/challenge/161

Explore My Website