Siunam's Website

My personal website

Home About Blog Writeups Projects E-Portfolio

Scavenger Hunt | Mar 3, 2023

Introduction

Welcome to my another writeup! In this picoGym challenge, you’ll learn: Inspecting HTML, viewing web crawler file (robots.txt), Apache’s .htaccess file, and MacOS .DS_Store file! Without further ado, let’s dive in.

Background

Author: madStacks

Description

There is some interesting information hidden around this site http://mercury.picoctf.net:27393/. Can you find it?

Enumeration

Home page:

Pretty empty. Let’s view the source page:

[...]
  <head>
    <title>Scavenger Hunt</title>
    <link href="https://fonts.googleapis.com/css?family=Open+Sans|Roboto" rel="stylesheet">
    <link rel="stylesheet" type="text/css" href="mycss.css">
    <script type="application/javascript" src="myjs.js"></script>
  </head>
[...]
	<!-- Here's the first part of the flag: picoCTF{t -->
 [...]

We found the first 3 parts of the flag in the HTML comment! picoCTF{t.

Also, in the <head> element, there are 2 files are being imported: mycss.css, myjs.js.

mycss.css:

[...]
#tabintro { background-color: #ccc; }
#tababout { background-color: #ccc; }

/* CSS makes the page look nice, and yes, it also has part of the flag. Here's part 2: h4ts_4_l0 */

myjs.js:

[...]
window.onload = function() {
    openTab('tabintro', this, '#222');
}

/* How can I keep Google from indexing my website? */

Hmm… “How can I keep Google from indexing my website?”

Based on my experience, it’s referring to robots.txt, a web crawler file for search engine’s robots.

In Google Support, it said:

A page is indexed by Google if it has been visited by the Google crawler (“Googlebot”), analyzed for content and meaning, and stored in the Google index. Indexed pages can be shown in Google Search results (if they follow Google’s webmaster guidelines). While most pages are crawled before indexing, Google may also index pages without access to their content (for example, if a page is blocked by a robots.txt directive).

That being said, let’s go to /robots.txt:

┌[siunam♥earth]-(~/ctf/picoGym/Web-Exploitation)-[2023.03.03|18:07:01(HKT)]
└> curl http://mercury.picoctf.net:27393/robots.txt
User-agent: *
Disallow: /index.html
# Part 3: t_0f_pl4c
# I think this is an apache server... can you Access the next flag?

Again, based on my experience, it’s referring to Apache’s .htaccess file.

In Apache documentation, it said:

.htaccess files (or “distributed configuration files”) provide a way to make configuration changes on a per-directory basis. A file, containing one or more configuration directives, is placed in a particular document directory, and the directives apply to that directory, and all subdirectories thereof.

TL;DR: .htaccess is the Apache web server configuration file.

┌[siunam♥earth]-(~/ctf/picoGym/Web-Exploitation)-[2023.03.03|18:11:16(HKT)]
└> curl http://mercury.picoctf.net:27393/.htaccess 
# Part 4: 3s_2_lO0k
# I love making websites on my Mac, I can Store a lot of information there.

Now, I have no idea in this hint, as I never touch MacOS before.

Let’s google that:

Found it! The hint is referring to .DS_Store, which is a file that stores custom attributes of its containing folder, such as folder view options, icon positions, and other visual information.

┌[siunam♥earth]-(~/ctf/picoGym/Web-Exploitation)-[2023.03.03|18:13:34(HKT)]
└> curl http://mercury.picoctf.net:27393/.DS_Store
Congrats! You completed the scavenger hunt. Part 5: _d375c750}

What we’ve learned:

  1. Inspecting HTML
  2. Viewing Web Crawler File (robots.txt), Apache’s .htaccess File & MacOS .DS_Store File