PicoCTF Write-ups

Secrets

1 min read

Task desc

In this task, we need to search for hidden directories on the target host.

ffuf

Let’s start with ffuf. We will scan the directories on the host:

ffuf -w /usr/share/wordlists/dirb/common.txt -u http://saturn.picoctf.net:54588/FUZZ -e html,php,txt,bak,old,json,xml,log,conf,config
  • -u: url
  • -e: extensions

Result:

image_2

Found directory named secret. But when we try to switch to it, burp (and ffuf also indicated code 301) we get a redirect that leads nowhere (blank page).

image_3

NOTE

This often indicates that the directory exists, but it does not contain the index.html file, or the server is not configured to automatically list directories.

In other words, flag is not located on the /secret page itself, but in another file inside this directory.

Let’s dig deeper: <picohost>:<port>/secret :

ffuf -w /usr/share/wordlists/dirb/common.txt -u http://saturn.picoctf.net:54588/secret/FUZZ -e html,php,txt,bak,old,json,xml,log,conf,config

image_4

Let’s go through all the options we found:

/secret/assets
/secret/hidden
/secret/index.html

Something interesing found in /secret/index.html

image_5

Inspect source code

Let’s inspect the HTML code of the page.

image_6

After trying out different URL options, I found /secret/hidden/index.html:

image_7

Let’s examine the code of this page with input forms:

image_8

Go through the URL options and arrive at the flag:

image_9

picoCTF{succ3ss_@h3n1c@10n_51b260fe}

Graph View