picoCTF
Platform: picoCTF — Carnegie Mellon University's free computer security competition
Format: Jeopardy-style CTF with challenges across Web Exploitation, Reverse Engineering, Cryptography, Forensics, Binary Exploitation, and General Skills
Difficulty: Beginner to Intermediate
picoCTF is the largest high school hacking competition but attracts participants at all levels. Challenges are gamified, well-documented, and excellent for building foundational cybersecurity skills.
2024 Challenges
No SQL Injection
- Category: Web Exploitation
- Difficulty: Medium
- Date: 2024
Description:
Can you try to get access to this website to get the flag? Source code provided.
Solution:
After downloading the source code, the admin email is found in server.js. The login logic is vulnerable to NoSQL injection — if email or password starts with { and ends with }, the code parses it as JSON. This allows injecting MongoDB operators like $ne (not equal) or $gt (greater than) without input sanitization.
Credentials used:
"email": "picoplayer355@picoctf.org",
"password": "{\"$ne\": null}"This bypasses authentication by matching any non-null values.
Retrieving the Flag:
- After logging in, go to Application > Session Storage in the browser's developer tools
- Copy the
tokenvalue and decode it from Base64:
echo "cGljb0NURntqQmhEMnk3WG9OelB2XzFZeFM5RXc1cUwwdUk2cGFzcWxfaW5qZWN0aW9uXzI1YmE0ZGUxfQ==" | base64 -dKey Topics: NoSQL Injection, MongoDB $ne / $gt operators, JSON.parse() pitfalls, Base64 session token decoding, input validation bypass.
2022 Challenges
Secrets
- Category: Web Exploitation
- Difficulty: Easy
- Date: 2022
Description:
We have several pages hidden. Can you find the one with the flag?
Solution:
- Inspect the Page: Right-click → Inspect → Check the Sources tab. Discovered a
/secret/directory. - Directory Enumeration: Visit
/secret/→/secret/hidden/→/secret/hidden/superhidden/ - The flag isn't displayed on the page but can be found using the browser's Inspector.
Key Topics: Directory enumeration, hidden pages discovery, browser DevTools Sources tab.
Search Source
- Category: Web Exploitation
- Difficulty: Easy
- Date: 2022
Description:
The developer of this website mistakenly left an important artifact in the website source, can you find it?
Solution:
Used wget to download the website, then searched for the flag:
wget -mpEk http://saturn.picoctf.net:50079
grep -r 'picoCTF{' .Key Topics: Website mirroring with wget, recursive grep for flag patterns.
Roboto Sans
- Category: Web Exploitation
- Difficulty: Easy
- Date: 2022
Description:
The flag is somewhere on this web application not necessarily on the website. Find it.
Solution:
Visited /robots.txt which contained Base64-encoded paths:
User-agent *
Disallow: /cgi-bin/
ZmxhZzEudHh0;anMvbXlmaW
anMvbXlmaWxlLnR4dA==
svssshjweuiwl;oiho.bsvdaslejg
Disallow: /wp-admin/Decoded the second entry:
echo "anMvbXlmaWxlLnR4dA==" | base64 -d
# Output: js/myfile.txtVisited http://saturn.picoctf.net:53442/js/myfile.txt — flag revealed.
Key Topics: robots.txt enumeration, Base64 decoding, hidden paths discovery.
Power Cookie
- Category: Web Exploitation
- Difficulty: Easy
- Date: 2022
Description:
Find the flag by exploring the website.
Solution:
- Click "Continue as guest" → error message appears
- Inspect
guest.js→ admin is set asisAdmin=0 - Change the cookie
isAdmin=1 - Refresh the page → flag revealed
Key Topics: Client-side security weaknesses, cookie manipulation, privilege escalation via browser DevTools, role-based access in JavaScript.
Forbidden Paths
- Category: Web Exploitation
- Difficulty: Easy
- Date: 2022
Description:
Can you get the flag? We know that the website files live in /usr/share/nginx/html/ and the flag is at /flag.txt but the website is filtering absolute file paths. Can you get past the filter to read the flag?
Solution:
- Website lists three text files and asks for a file name
/flag.txtexists, but absolute paths are blocked- Used path traversal:
../../../../flag.txt - Successfully accessed and retrieved the flag
Key Topics: Path traversal, bypassing input filters with relative paths (../../), NGINX file structure.
SQL Direct
- Category: Web Exploitation
- Difficulty: Easy
- Date: 2022
Description:
Connect to this PostgreSQL server and find the flag!
psql -h saturn.picoctf.net -p 62693 -U postgres picoPassword is postgres.
Solution:
Used \d to list tables, found flags table, then:
SELECT * FROM flags;Result:
id | firstname | lastname | address
----+-----------+-----------+----------------------------------------
1 | Luke | Skywalker | picoCTF{L3arN_S0m3_5qL_t0d4Y_[REDACTED]}
2 | Leia | Organa | Alderaan
3 | Han | Solo | CorelliaKey Topics: PostgreSQL CLI (psql), database enumeration (\d, \?), basic SQL queries.
SQLiLite
- Category: Web Exploitation
- Difficulty: Easy
- Date: 2022
Description:
Can you log in to this website?
Solution:
Attempting to log in with any credentials reveals an SQL query like:
SELECT * FROM users WHERE name='test' AND password='test';This indicates a classic SQL injection vulnerability. To bypass the password check, use the SQL comment sequence -- to ignore the password condition:
- Username:
admin'-- - Password: (leave blank)
This logs you in as the admin. The flag isn't displayed on the page but can be found using the browser's Inspector (right-click → Inspect) in the page's source code.
Key Topics: SQL injection authentication bypass, SQL comment (--), source code inspection.
JAuth
- Category: Web Exploitation
- Difficulty: Medium
- Date: 2022
Description:
Most web application developers use third party components without testing their security. Can you identify the components and exploit the vulnerable one? You can login as test with the password Test123! to get started.
Solution:
- Logged in with
test:Test123! - Inspected the JWT
tokencookie under Storage > Cookies - Decoded the token at token.dev:
Header:
{ "typ": "JWT", "alg": "HS256" }Payload:
{ "auth": 1688308967209, "agent": "Mozilla/5.0 ...", "role": "user", "iat": 1688308967 }- Exploited alg=none vulnerability — changed the algorithm from
HS256tononeand modified the payload:
{ "typ": "JWT", "alg": "none" }{ "auth": 1688308967209, "agent": "Mozilla/5.0 ...", "role": "admin", "iat": 1688308967 }- Replaced the cookie with the modified JWT (trailing period is crucial for alg=none tokens)
- Refreshed the page — logged in as admin, flag displayed
Automation with cURL:
curl 'http://saturn.picoctf.net:55824/private' \
-H 'Cookie: token=eyJ0eX...2N30.'Key Topics: JWT structure (header/payload/signature), alg=none attack, privilege escalation via role manipulation, JWT debugging tools, cookie tampering.