Description
The flag is somewhere on this web application not necessarily on the website. Find it.
Additional details will be available after launching your challenge instance.
📝 Challenge Overview
A web server exposes a robots.txt file that likely contains hints. By fetching robots.txt, decoding a few Base64 strings, and visiting the revealed path, we find a small text file containing the flag. This is a classic example of looking for information disclosure in robots.txt and using simple decoding tools to follow the breadcrumb trail.
🔎 Step 1: Fetch robots.txt
- Open the site or fetch
robots.txtfrom the target:http://saturn.picoctf.net:65352/robots.txt - The file contains these lines (excerpt):
ZmxhZzEudHh0;anMvbXlmaW anMvbXlmaWxlLnR4dA== c3Zzc3NoandldWl3bDtvaWhvLmJzdmRhc2xlamc
📝 Explanation: robots.txt sometimes contains accidental hints (links or filenames) that authors don’t want crawlers to index. Always check it early when exploring web CTFs.
🧩 Step 2: Decode the Base64 strings
- The lines look like Base64. Decode them (you can use CyberChef or local tools). Example CyberChef recipe: From Base64.
- CyberChef link (use From_Base64):
https://gchq.github.io/CyberChef/#recipe=From_Base64('A-Za-z0-9%2B/%3D',true,false)
- CyberChef link (use From_Base64):
- Decoding (with proper padding) yields:
ZmxhZzEudHh0→flag1.txtanMvbXlmaW(add==) →js/myfi(partial)anMvbXlmaWxlLnR4dA==→js/myfile.txt- (There may be another long string that decodes to garbage or noise; ignore non-useful lines.)
📝 Explanation: Base64 strings sometimes arrive with missing padding (=). Try adding = characters to make the length a multiple of 4 before decoding, or use a tolerant decoder (CyberChef). The useful decoded path here is js/myfile.txt.
🧭 Step 3: Visit the revealed path
- Combine the decoded path with the host and port to get the file URL:
http://saturn.picoctf.net:65352/js/myfile.txt - Open that URL in a browser or fetch it with
curl/wget. The file contains the flag.
📝 Explanation: robots.txt revealed (or hinted at) the path to a static file inside a js folder. Visiting the decoded path directly often reveals flags or further hints.
🏁 Capture the Flag
🎉 The file at /js/myfile.txt contained the flag:picoCTF{Who_D03sN7_L1k5_90B0T5_718c9043}
📊 Summary
| Step | Command / Action | Purpose | Key Result |
|---|---|---|---|
| 1 | Visit http://...:65352/robots.txt | Look for hidden paths or hints | Found Base64 strings in robots.txt |
| 2 | Decode Base64 (CyberChef or base64 -d) | Convert encoded strings to readable paths | Decoded to flag1.txt, js/myfile.txt |
| 3 | Open http://...:65352/js/myfile.txt | Retrieve the file that contains the flag | Flag: picoCTF{Who_D03sN7_L1k5_90B0T5_718c9043} |
💡 Beginner Tips
- 🔎 Always check
robots.txtearly — it can contain accidental disclosures. - 🧾 Use CyberChef for quick interactive decoding (Base64, ROT13, hex, etc.).
- 🧮 If a Base64 string fails to decode, try adding padding characters
=until its length is a multiple of 4. - 🌐 Use
curlto fetch resources from the terminal:curl -s http://saturn.picoctf.net:65352/robots.txt curl -s http://saturn.picoctf.net:65352/js/myfile.txt - 🧰 Prefer local decoding for sensitive content (avoid pasting secrets into unknown web services).
🎓 What you learn (takeaways)
robots.txtcan leak interesting information; never ignore it during reconnaissance.- Base64 is commonly used to hide small strings; knowing how to decode it quickly is valuable.
- Small issues like missing Base64 padding are common — learning how to handle them pays off.
- Simple manual steps (viewing
robots.txt, decoding, visiting the decoded URL) often solve beginner web CTFs.
⚡ Short explanations for commands / techniques used
- 🔗
robots.txt- What: A standard file that tells web crawlers which parts of a website to avoid.
- Why: It sometimes contains paths the author didn’t want indexed — possible hints.
- How:
http://example.com/robots.txtorcurlto fetch it.
- 🧩 Base64 decoding
- What: A common encoding for binary-to-text; used to hide readable strings.
- Why: Quick to encode/decode and commonly used in CTFs to obfuscate hints.
- How: CyberChef (From Base64) or command line:
echo 'anMvbXlmaW==' | base64 --decode
- 🐚
curl- What: Command‑line tool to fetch web resources.
- Why: Fast check for availability or to script retrieval of files.
- Example:
curl -s http://saturn.picoctf.net:65352/js/myfile.txt
- 🔁 Handling missing Base64 padding
- What: Base64 strings must be length multiples of 4; padding
=may be required. - Why: Some challenges omit padding accidentally; adding
=can fix decoding errors. - How: If
base64fails, try appending=or==until decode succeeds.
- What: Base64 strings must be length multiples of 4; padding