Have you ever thought about joining the forces of white hat hackers and penetration testers? Don’t you know where to start or how to practice some skills? Though capture the flag games, or CTFs in short, are not the most life-like situations, they can help you to build a way of thinking and to learn the basic tools. PicoCTF is a great site to start as a beginner.
CTF stands for Capture The Flag, and in the context of cyber security, it refers to a type of cyber security competition or game. The goal of a CTF is to solve a variety of challenges to obtain “flags” hidden in different parts of the system. These challenges are designed to test participants’ skills in various areas of cyber security, including but not limited to:
- Reverse Engineering: Participants may need to analyze and understand the functionality of a binary or piece of software to find vulnerabilities or extract hidden information.
- Web Security: Challenges involving web applications often require participants to exploit vulnerabilities such as SQL injection, cross-site scripting (XSS), or other web-related security issues.
- Network Security: Participants may have to analyze network traffic, find vulnerabilities in network configurations, or exploit weaknesses in network protocols.
- Forensics: Challenges related to digital forensics may involve analyzing disk images, network traffic logs, or other artifacts to uncover hidden information.
- Cryptography: Participants may need to decrypt messages, break codes, or analyze cryptographic protocols to reveal hidden flags.
- Binary Exploitation: Involves finding vulnerabilities and exploiting weaknesses in compiled binaries or executable code.
This article is a write up about one of PicoCTF’s web exploitation challenges. Let’s see it!
“where are the robots”
When you open the exercise the description is exact:
Description
Can you find the robots? https://jupiter.challenges.picoctf.org/problem/60915/ (link) or http://jupiter.challenges.picoctf.org:60915
Visiting the link drops you on a website where a welcome message and a suspicious string is all the content: Where are the robots?
(If you are a beginner you can use the “Hints” button to show you some advice.)
Reading the text to check the robots.txt file on the site is our first idea.
A robots.txt file is a text file created by webmasters to guide web robots, particularly search engine robots, on how to crawl pages on a website. This file is part of the robots exclusion protocol (REP), a set of web standards that regulate how robots crawl the web, access and index content, and serve that content to users. The robots.txt file must be placed in the website’s top-level directory and is case sensitive, named specifically as “robots.txt”. It contains directives for user agents, specifying whether certain parts of a website can or cannot be crawled.
Extend the original URL with the /robots.txt string to see the contents of the file.
https://jupiter.challenges.picoctf.org/problem/60915/robots.txt
You will see that the robots.txt file contains the following text:
User-agent: *
Disallow: /8028f.html
We can see a page in the file that is not indexed! It is the 8028f.html.
Let’s visit this file in our browser window!
https://jupiter.challenges.picoctf.org/problem/60915/8028f.html
Voila! The flag is there.
The text PicoCTF{ ... } is the flag, copy it to the text area on the task page and you’ve solved the puzzle. Congratulations!
If you want to discuss the topic with other technology-minded people, join my Discord: https://discord.gg/YbSYGsQYES
Now we have an IRC channel as well: irc.libera.chat / #tomsitcafe
Tom's IT Cafe 