The Challenge ‘Scavenger Hunt’ is worth another 50 Points. The only hint we get is not to bruteforce the solution. We should find enough intel within the given side.

The site itself looks like the site we already saw at the insp3t0r-challenge (The writeup for this challenge is: here!). As we already know the way to go we can follow the hints again. The hints are: html, css, java.

When looking at the index.html file via sublime-text (downloaded file with wget) we get the first part of the flag. Wow. That was easy.

So what about the other parts? By pressing ‘strg’ + ‘shift’ + ‘c’ we open the firefox site-inspector. Inside the Style Editor we find a mycss.css file and at the end of this file there is the 2nd part of the flag. (Alternatively you can open http://mercury.picoctf.net:44070/mycss.css to access the css-file.)

• CSS makes the page look nice, and yes, it also has part of the flag.
• Here’s part 2: h4ts_4_l0

Nice! But when looking at the myjs.js-file of the site (accessible via the Debugger Section or directly via http://mercury.picoctf.net:44070/myjs.js) we don’t find the 3rd part of the flag. Instead we only get an hint:

• How can I keep Google from indexing my website? */

This hint is kinda easy. The google webcrawler that is indexing the internet is looking for a robots.txt-file. By browsing to the corresponding site (http://mercury.picoctf.net:44070/robots.txt) we get the 3rd part of the flag and another hint. As the closing curly-brace isn’t included in the flag there has to be another part.

• Part 3: t_0f_pl4c
• I think this is an apache server… can you Access the next flag?

The 4th part of the flag was a hard one for me as i did know next to nothing about apache webservers. And it took me a long time googling around and trying different approaches until i finally tried appending /.htaccess to the end of the url. I missed this page for a long time as the apache-project itself states on its website, that “You should avoid using .htaccess files completely if you have access to httpd main server config file”. (https://httpd.apache.org/docs/2.4/howto/htaccess.html). But nevermind. There it is!

• Part 4: 3s_2_lO0k
• I love making websites on my Mac, I can Store a lot of information there.

Phew. We already have 4 parts and we are still not done. Thats a long flag..The 5th part should have something to do with a Mac. As the hint for the 4th part was quite direct (Access had an capital letter and was a direct part of the solution) i decided to focus on the word ‘Store’ for the 5th flag.
After trying different things for a while i finally found the solution. With using /.DS_Store i got to the last flag. (Info on DS_Store: https://en.wikipedia.org/wiki/.DS_Store)

Congrats! You completed the scavenger hunt. Part 5: _7a46d25d}

With this being the last part of the flag we can finally submit the flag.

Scavenger Hunt Done!