Solutions to Puzzle #4 Web Vulnerabilities- Flags 1–6
Girls Go CyberStart is a fun series of cyber challenges where a curious mind and a willingness to try are your best tools. You don’t need any cybersecurity background to succeed! But if you like to warm up your cyber muscles before a race, these Practice Puzzles will give you a look at the types of challenges in GGCS along with tips and tricks to solving them. You could be solving challenges like these soon! Find out more and register here, competition play starts January 13.
Oops, solutions were supposed to be posted sooner — so let’s do a bunch at once! Here are the solutions to Flag #1 to Flag #6. This video provides a short walk-through of each solution along with some tips about these type of Capture The Flag challenges. Just want the solution and the flag? There’s a short text version right below!
Flag #1 Hint: Color is a smart method to hide things.
Solution: The first comment on the page has text styled black. Use CTRL-A to select all text, this will highlight all items on the page and the black text becomes visible. Flag = IAMTHEN1GHTF0nt .
Flag #2 Hint: A way that websites say “Hey web crawler, don’t scan this part!”
Solution: Browse to the /robots.txt of the website to find “Well done, you found flag! Your flag is R0b0TCrawl2027”. Watch video for explanation of how and why websites use robots.txt files.
Flag #3 Hint: To find something right in front of you, sometimes you need to go to the (View) Source.
Solution: Rightclick anywhere on the page, from the drop down menu select View Page Source. This opens a new tab with the website source HTML code. Scroll down to find the 2nd comment (green text) “ <! — NOTE: Sometimes hidden information is right in front of you, but just visible when you look the right way. Your flag is Br0ws3rSl3uth^ →”
Watch video for explanation of using Developer Tools and View Page Source
Flag #4 Hint: You just need to be patient with the master of data hiding.
Solution: In the source code at the bottom you can see this code:
but if you click on awake.js you find the code is obfuscated so it’s not possible to identify the values and function. However, if you wait long enough without changing the page this flag will appear. The code about timing is left unobfuscated as a hint to wait. It takes 3 minutes! Flag = Pat1entHaxorFTW
Flag #5 Hint: What happens if you right-click that cracked Avatar and open it in a new tab? Can you fix it?
Solution: Notice the last comment from the Capn Stego user has a missing image. Right click on the broken image and open in new tab to access the image source file. Spot the extension is missing so in the URL simply add a .png at the end and you get the flag! Flag = ImgSteg1337!
Flag #6 Hint: When you Inspect a web page, you should look past the Elements. There’s so many more tabs to explore!
Solution: Right click on the webpage and select the “Inspect” developer tool. At the top, click on the Console Tab and the answer is right there for you!
Flag = D3ta1lOr1entedDeveloer
Coming up next — solutions to the last flags!
Flag #7: To get an admin message, go big in your script.
Flag #8: This one will take an eye for the small detail + a touch of encoding
Flag #9: Scripts can hide secrets, but can you make them function?
