Skip to content

picoCTF

Platform: picoCTF — Carnegie Mellon University's free computer security competition
Format: Jeopardy-style CTF with challenges across Web Exploitation, Reverse Engineering, Cryptography, Forensics, Binary Exploitation, and General Skills
Difficulty: Beginner to Intermediate

picoCTF is the largest high school hacking competition but attracts participants at all levels. Challenges are gamified, well-documented, and excellent for building foundational cybersecurity skills.

2024 Challenges

No SQL Injection

  • Category: Web Exploitation
  • Difficulty: Medium
  • Date: 2024

Description:
Can you try to get access to this website to get the flag? Source code provided.

Solution:
After downloading the source code, the admin email is found in server.js. The login logic is vulnerable to NoSQL injection — if email or password starts with { and ends with }, the code parses it as JSON. This allows injecting MongoDB operators like $ne (not equal) or $gt (greater than) without input sanitization.

Credentials used:

"email": "picoplayer355@picoctf.org",
"password": "{\"$ne\": null}"

This bypasses authentication by matching any non-null values.

Retrieving the Flag:

  1. After logging in, go to Application > Session Storage in the browser's developer tools
  2. Copy the token value and decode it from Base64:
bash
echo "cGljb0NURntqQmhEMnk3WG9OelB2XzFZeFM5RXc1cUwwdUk2cGFzcWxfaW5qZWN0aW9uXzI1YmE0ZGUxfQ==" | base64 -d

Key Topics: NoSQL Injection, MongoDB $ne / $gt operators, JSON.parse() pitfalls, Base64 session token decoding, input validation bypass.


2022 Challenges

Secrets

  • Category: Web Exploitation
  • Difficulty: Easy
  • Date: 2022

Description:
We have several pages hidden. Can you find the one with the flag?

Solution:

  • Inspect the Page: Right-click → Inspect → Check the Sources tab. Discovered a /secret/ directory.
  • Directory Enumeration: Visit /secret//secret/hidden//secret/hidden/superhidden/
  • The flag isn't displayed on the page but can be found using the browser's Inspector.

Key Topics: Directory enumeration, hidden pages discovery, browser DevTools Sources tab.


Search Source

  • Category: Web Exploitation
  • Difficulty: Easy
  • Date: 2022

Description:
The developer of this website mistakenly left an important artifact in the website source, can you find it?

Solution:
Used wget to download the website, then searched for the flag:

bash
wget -mpEk http://saturn.picoctf.net:50079
grep -r 'picoCTF{' .

Key Topics: Website mirroring with wget, recursive grep for flag patterns.


Roboto Sans

  • Category: Web Exploitation
  • Difficulty: Easy
  • Date: 2022

Description:
The flag is somewhere on this web application not necessarily on the website. Find it.

Solution:
Visited /robots.txt which contained Base64-encoded paths:

User-agent *
Disallow: /cgi-bin/
ZmxhZzEudHh0;anMvbXlmaW
anMvbXlmaWxlLnR4dA==
svssshjweuiwl;oiho.bsvdaslejg
Disallow: /wp-admin/

Decoded the second entry:

bash
echo "anMvbXlmaWxlLnR4dA==" | base64 -d
# Output: js/myfile.txt

Visited http://saturn.picoctf.net:53442/js/myfile.txt — flag revealed.

Key Topics: robots.txt enumeration, Base64 decoding, hidden paths discovery.


  • Category: Web Exploitation
  • Difficulty: Easy
  • Date: 2022

Description:
Find the flag by exploring the website.

Solution:

  1. Click "Continue as guest" → error message appears
  2. Inspect guest.js → admin is set as isAdmin=0
  3. Change the cookie isAdmin=1
  4. Refresh the page → flag revealed

Key Topics: Client-side security weaknesses, cookie manipulation, privilege escalation via browser DevTools, role-based access in JavaScript.


Forbidden Paths

  • Category: Web Exploitation
  • Difficulty: Easy
  • Date: 2022

Description:
Can you get the flag? We know that the website files live in /usr/share/nginx/html/ and the flag is at /flag.txt but the website is filtering absolute file paths. Can you get past the filter to read the flag?

Solution:

  1. Website lists three text files and asks for a file name
  2. /flag.txt exists, but absolute paths are blocked
  3. Used path traversal: ../../../../flag.txt
  4. Successfully accessed and retrieved the flag

Key Topics: Path traversal, bypassing input filters with relative paths (../../), NGINX file structure.


SQL Direct

  • Category: Web Exploitation
  • Difficulty: Easy
  • Date: 2022

Description:
Connect to this PostgreSQL server and find the flag!

bash
psql -h saturn.picoctf.net -p 62693 -U postgres pico

Password is postgres.

Solution:
Used \d to list tables, found flags table, then:

sql
SELECT * FROM flags;

Result:

 id | firstname | lastname  |                address
----+-----------+-----------+----------------------------------------
  1 | Luke      | Skywalker | picoCTF{L3arN_S0m3_5qL_t0d4Y_[REDACTED]}
  2 | Leia      | Organa    | Alderaan
  3 | Han       | Solo      | Corellia

Key Topics: PostgreSQL CLI (psql), database enumeration (\d, \?), basic SQL queries.


SQLiLite

  • Category: Web Exploitation
  • Difficulty: Easy
  • Date: 2022

Description:
Can you log in to this website?

Solution:
Attempting to log in with any credentials reveals an SQL query like:

sql
SELECT * FROM users WHERE name='test' AND password='test';

This indicates a classic SQL injection vulnerability. To bypass the password check, use the SQL comment sequence -- to ignore the password condition:

  • Username: admin'--
  • Password: (leave blank)

This logs you in as the admin. The flag isn't displayed on the page but can be found using the browser's Inspector (right-click → Inspect) in the page's source code.

Key Topics: SQL injection authentication bypass, SQL comment (--), source code inspection.


JAuth

  • Category: Web Exploitation
  • Difficulty: Medium
  • Date: 2022

Description:
Most web application developers use third party components without testing their security. Can you identify the components and exploit the vulnerable one? You can login as test with the password Test123! to get started.

Solution:

  1. Logged in with test:Test123!
  2. Inspected the JWT token cookie under Storage > Cookies
  3. Decoded the token at token.dev:

Header:

json
{ "typ": "JWT", "alg": "HS256" }

Payload:

json
{ "auth": 1688308967209, "agent": "Mozilla/5.0 ...", "role": "user", "iat": 1688308967 }
  1. Exploited alg=none vulnerability — changed the algorithm from HS256 to none and modified the payload:
json
{ "typ": "JWT", "alg": "none" }
json
{ "auth": 1688308967209, "agent": "Mozilla/5.0 ...", "role": "admin", "iat": 1688308967 }
  1. Replaced the cookie with the modified JWT (trailing period is crucial for alg=none tokens)
  2. Refreshed the page — logged in as admin, flag displayed

Automation with cURL:

bash
curl 'http://saturn.picoctf.net:55824/private' \
  -H 'Cookie: token=eyJ0eX...2N30.'

Key Topics: JWT structure (header/payload/signature), alg=none attack, privilege escalation via role manipulation, JWT debugging tools, cookie tampering.