capture the flag, hacking, web application security

PicoCTF 2017 – What Is Web

Another day, another challenge.

In today’s blog post we are solving the challenge, “What Is Web” from the PicoCTF challenge.

Let’s start!

Clicking on the challenge we see:


OK, so we need to find out how to use HTML.

Looking at the hints we see:

Clicking on the website we see:

PicoCTF_What_Is_Web_3Doing a right click, view source we see:


At the bottom of the screen in the green letters (which are comments that are not displayed in the browser) show that we have the first part of the flag.

Now we need to find the second and third part of the flag.

Looking back at the page source we see two different files that are referenced: hacker.css and script.js

Let’s look at hacker.css first and see what’s there.

Going to that file we see the second part of the flag at the top of the browser:


Now let’s look at the script.js file and see if we can find the final part of the flag…

Going to the script.js file we see:


We now have the three parts of the flag!

Combining the parts together and submitting the flag, we’ve acquired 20 points!

capture the flag, hacking, web application security

InfoSec Institute Challenge #12

Another day, another challenge.

Today’s challenge is coming from the InfoSec Institute.

Going to the following link we see the following:


Doing a right click, view page source we see the following:


We noticed there’s an extra CSS (Cascading Style Sheets).  Let’s see what’s in this file.

Going to the file we see the following:


Hmm… this looks interesting. Knowing a thing or two about CSS, the colors are represented in hex (hexadecimal, base 16) form. More can be found here.

I’m thinking this is the actual flag, but it’s just encoded.

Using out knowledge from other challenges, let’s try base64 decoding, since it has worked before.

Going to the link here, and typing in the encoding we get the following:


Our decoding wasn’t successful. This encoding is not base64.

Going back to the challenge, we know that CSS uses hexadecimal to represent colors.

Maybe the encoding is in hexadecimal form.

Going to Google and typing in “converting hexadecimal to text” we get the following link.

Putting our encoding in the text box and changing the decoding to “hexadecimal to text” we get the following:


We found the flag!

Lessons learned:

Attention to detail! We noticed that there was another file when we did the right click, view page source. Going to that page we noticed that there was encoding. We first tried base64 which did not work. Going back to the drawboard on how CSS works, we know the colors are represented in hexadecimal. Doing a Google search of hexadecimal to text we were able to find the flag.