พาตะลุยโจทย์ picoCTF หมวดหมู่ Web Exploitation

Voraprot SEESOD

12 Sept 202419:02

Summary

TLDRThis video script is a detailed walkthrough for beginners on how to tackle easy level web exploitation challenges on the Pico CTF platform. The guide covers logging in, navigating to practice problems, and using web development tools like inspecting HTML and decoding text. It also teaches how to find and submit flags for each challenge, emphasizing the importance of understanding HTML, CSS, and JavaScript for front-end web development.

Takeaways

🔐 The script is a walkthrough for solving beginner-level web exploitation challenges on a platform called pico ctf.
🌐 It instructs users to use Google Chrome and navigate to the pico ctf website to start solving challenges.
👤 Users are guided to log in or sign up if they don't have an account on the platform.
🔍 The script emphasizes filtering challenges by difficulty (Easy level) and category (web exploitation).
🕵️‍♂️ The first challenge, 'inspect html', teaches users how to use the browser's inspect tool to find comments in the HTML code.
🔑 The second challenge, 'inspector', involves finding parts of a website's code by inspecting different pages and piecing together comments.
🗜️ The third challenge, 'unminify', explains the concept of minifying code for efficiency and how to unminify it for readability.
🔢 The fourth challenge, 'web decode', introduces the process of decoding encoded text, specifically base64 encoding.
🤖 The final challenge, 'Where are the Robot', involves locating a 'robots.txt' file to understand which parts of a website are disallowed from being indexed by search engines.
🏆 Completing all five challenges gives a sense of accomplishment and provides foundational knowledge for web exploitation.

Q & A

What is the main objective of the video script?
-The main objective of the video script is to guide viewers through solving 5 easy level web exploitation challenges on the Pico CTF platform.
Which web browser does the script recommend using for the CTF challenges?
-The script recommends using Google Chrome as the web browser for the CTF challenges.
How does one access the Pico CTF challenges according to the script?
-To access the Pico CTF challenges, one should visit the Pico CTF website, click on the first link that appears, and then look for the 'Login' menu at the top right corner.
What should users do if they don't have an account on Pico CTF?
-If users don't have an account, they should click on the 'sign up' button located at the bottom left of the page to register.
How does the script suggest filtering the challenges on Pico CTF?
-The script suggests filtering the challenges by selecting 'Easy' difficulty level and choosing the 'Web Exploitation' category.
What is the first challenge mentioned in the script?
-The first challenge mentioned in the script is called 'inspect html'.
What tool is used to inspect the HTML of a website as per the script?
-The script instructs users to use the 'Inspect' feature in Google Chrome, accessible by right-clicking on the webpage and selecting 'Inspect'.
What is the purpose of inspecting HTML in web development?
-Inspecting HTML is used for developers to check and debug the client-side of web pages to ensure proper functionality and appearance.
What is the significance of finding the 'FA' or 'Flag' in the CTF challenges?
-The 'FA' or 'Flag' represents the solution to the challenge. Finding and submitting it is required to successfully complete the challenge.
What does the script suggest to avoid when commenting on websites?
-The script suggests avoiding making random comments, especially if they could be important and lead to website hacking.
How does the script describe the process of unminifying code?
-Unminifying code is described as the process of making the code more readable by expanding it, which is often done before deploying a website for better performance and loading speed.

Outlines

00:00

🔐 Introduction to Pico CTF

The speaker begins by introducing a tutorial on how to tackle Pico CTF challenges, specifically focusing on 5 beginner-level tasks. The initial step is to access the Pico CTF website using a browser, preferably Chrome. The audience is guided through the login process for registered users and the registration process for new users. After logging in, the speaker navigates to the 'Practice' menu and filters the challenges by 'Easy' difficulty level within the 'Web Exploitation' category. The first challenge, named 'inspect html', is highlighted, which involves inspecting the HTML code of a provided website to find a flag (FA).

05:00

🕵️‍♂️ Web Inspection and Source Code

The second paragraph elaborates on the process of inspecting a website's source code, which is crucial for front-end development. The speaker explains how to use the 'inspect' feature in Google Chrome to view the HTML structure and navigate to the page source to see the original client-side code. The importance of understanding HTML, CSS, and JavaScript is emphasized, as these are the core languages for creating web pages. The speaker demonstrates how to locate and combine parts of a flag hidden within the HTML, CSS, and JavaScript files of the website.

10:02

🔧 Unminify JavaScript Code

In this segment, the speaker addresses the challenge named 'unminify', which involves making the JavaScript code more readable by unminifying it. The tutorial explains the concept of minification in web development, which is used to reduce file size and improve website loading speed. The speaker guides the audience to use the 'pretty print' feature in Chrome DevTools to unminify the code and find the flag within the now-readable JavaScript code.

15:05

🔎 Decoding Encoded Text

The fourth paragraph is about a challenge that requires decoding encoded text. The speaker instructs the audience to use the 'View Page Source' feature to search for encoded text on a website. It is suggested that the encoded text might be Base64 or another encoding format. The speaker then introduces a website called 'CyberChef', a tool for decoding various types of encoded text. The audience is guided to decode the text using Base64 and extract the flag.

🤖 Finding the Robot.txt File

The final paragraph of the script covers a challenge that involves locating the 'robot.txt' file on a website, which is used to instruct web crawlers, like Google's, on which parts of the site should not be indexed. The speaker explains that 'robot.txt' is typically found in the root directory of a website. The audience is guided to navigate to the root directory and find the 'robot.txt' file, which contains a disallow rule. The flag is then copied from this file to complete the challenge.

Mindmap

Keywords

💡pico ctf

Pico CTF is a cybersecurity challenge platform that hosts various tasks related to computer security. In the context of the video, it is the main focus where the presenter is guiding viewers through solving different tasks on the platform. The script mentions accessing the website, logging in, and navigating to solve problems, indicating that 'pico ctf' is central to the video's theme.

💡web exploitation

Web exploitation refers to the process of finding and exploiting vulnerabilities in web applications or web servers. The video script discusses selecting 'web exploitation' as a category, suggesting that the tasks involve identifying and taking advantage of security flaws in web environments. This is a key concept as it directly relates to the type of challenges being addressed.

💡inspect

To 'inspect' in the context of web development tools means to examine the elements and structure of a webpage. The script describes using the 'inspect' feature in Google Chrome to look at the HTML code of a webpage, which is a fundamental skill in web development and a common method for analyzing web security in challenges like those on pico ctf.

💡HTML

HTML stands for HyperText Markup Language, which is the standard markup language for creating web pages. The script mentions inspecting HTML as part of the challenges, indicating that understanding HTML structure is crucial for solving web exploitation tasks. HTML is the backbone of any website and a common target for security analysis.

💡CSS

CSS (Cascading Style Sheets) is used for describing the look and formatting of a document written in HTML. In the script, the presenter navigates to a CSS file as part of solving a challenge, emphasizing the importance of CSS in web design and its potential role in web exploitation tasks, such as hiding malicious code or providing clues.

💡JavaScript

JavaScript is a scripting language used to create interactive and dynamic web pages. The video script refers to a JavaScript file, suggesting that the presenter is looking for clues or vulnerabilities within the JavaScript code, which can be a common source of security issues in web applications.

💡minify

Minification is the process of removing all unnecessary characters from source code without changing its functionality, typically to reduce its size and improve load times. The script mentions 'unminify', which is the reverse process, and is relevant to the video's theme as it can help in making code more readable and easier to analyze for security flaws.

💡decode

Decoding is the process of converting encoded data back into its original form. In the context of the video, the presenter talks about decoding text that has been encoded, which is a common technique in cybersecurity to hide information. Decoding skills are essential for uncovering hidden vulnerabilities or content within web challenges.

💡View Page Source

Viewing the page source allows developers to see the HTML code that constitutes the webpage. The script mentions using 'View Page Source' to inspect the underlying code of a webpage, which is a common practice when analyzing web security. This feature is crucial for tasks that involve web exploitation as it provides direct access to the code that may contain security flaws.

💡flag

In the context of CTF (Capture The Flag) challenges, a 'flag' is a piece of information that a participant must find or capture to solve a challenge. The script refers to submitting flags as part of completing challenges on pico ctf, indicating that flags are the goal or proof of solving a particular web exploitation task.

💡robot.txt

The 'robots.txt' file is part of the web standard used to instruct web robots (typically search engine crawlers) how to index or crawl pages on a website. In the script, the presenter discusses the 'robot.txt' file in relation to preventing search engines from accessing certain parts of a website, which is a common practice in web development and an interesting aspect of web exploitation challenges.

Highlights

Introduction to participating in picoCTF with 5 easy-level challenges.

Instructions on how to access the picoCTF website using Google Chrome.

Explanation of the login process for returning users and registration for new users on picoCTF.

Navigation to the 'Practice' menu to find easy-level challenges.

Filtering challenges by difficulty and selecting 'Web Exploitation' category.

Starting with the first challenge named 'inspect html'.

Guidance on how to use the web development tool 'inspect' in Google Chrome.

Details on locating and submitting the flag (FA) for the 'inspect html' challenge.

Emphasis on the importance of not leaving sensitive comments in website code to prevent hacking.

Moving on to the second challenge named 'inspector'.

Instructions on viewing page source to find parts of the flag scattered across HTML, CSS, and JavaScript files.

Explanation of front-end web development using HTML, CSS, and JavaScript.

The process of combining parts of the flag from different web pages to form the complete flag.

Introduction to the third challenge named 'unminify'.

Explanation of minification in web development and its impact on website loading speed.

Guidance on using Chrome's 'pretty print' feature to unminify and read code.

Details on locating and submitting the flag for the 'unminify' challenge.

Starting the fourth challenge named 'web decode'.

Instructions on using 'View Page Source' to search for encoded text on web pages.

Explanation of encoding and decoding processes, specifically base64 encoding.

Guidance on using online tools like 'CyberChef' to decode base64 encoded text.

Details on submitting the decoded flag for the 'web decode' challenge.

Introduction to the final challenge named 'Where are the Robot'.

Explanation of the 'robots.txt' file and its role in search engine indexing.

Instructions on locating and submitting the contents of the 'robots.txt' file as the flag.

Conclusion and thanks for watching the tutorial on completing 5 challenges on picoCTF.