picoGym 2019 Web Exploitation: Insp3ctor

Here is a brief walk through of one of the easier CTF challenges

Here is our CTF Challenge. Clue 1 is in the description, stating that the code may need to be inspected.  Let's next take a look at the Hints:

Hint 1: How do you inspect a web code on a browser?

Hint 2: There's 3 parts

We are set to start.  First, I copied the URL into the target browser of burpSuite in Kali.  Here is the homepage:

To load up burpSuite with a few pages I clicked both links.  Clicking the "How" link changed the page to this:

This let me know that I need to look in 3 files: a *.html, a *.css, and a *.js file.

Knowing the homepage is probably "index.html", I return to burp to take a look at the source:

Not only do we get the filenames myjs.js and mycss.css , but we also get the first part to our flag at the bottom of the code.  Next, we see that myjs.js has already been called and is loaded in burp, so naturally we look at the source

Looking at the source reveals part 3 of our flag.  Next we only need to go to the mycss.css page we haven't visited yet:

And there it is...part 2.  We now have all three parts of our flag assembled:

picoCTF{tru3_d3t3ct1ve_0r_ju5t_lucky?832b0699}

As stated before, this is one of the easier CTF challenges.  I think I will continue to add more walk throughs as feel up to it.  Stay tuned to the blog.