Welcome Everyone

Web 150 pts Easy

Challenge Information

  • Challenge Name: Welcome Everyone (Challenge 1)
  • Category: Web
  • Target: https://instruo.tech/
  • Flag: EOF{f0und_m3_f!nally}
  • Difficulty: Beginner (Web Reconnaissance)

Challenge Description:

Solve your first challenge.

The INSTRUO 14 Website Team have spent a lot of time perfecting the website. Check it out!

And never forget the name of this CTF, it will serve as a reminder for the rest of your journey, that everyone is a fool.

Note: Flags, unless specified otherwise, will be of the format EOF{text}, text might include numbers and symbols as well.

Solution Methodology

Phase 1: Initial Website Inspection

curl -s https://instruo.tech/ | head -100

Observation:

  • Website returns HTML with minimal content
  • Appears to be a single-page application (SPA)
  • No obvious flags in initial HTML response

Phase 2: Check robots.txt

curl -s https://instruo.tech/robots.txt

Result: No robots.txt file found (404 response)

Phase 3: Search HTML for Flag Patterns

curl -s https://instruo.tech/ | grep -i "eof\|flag\|fool" -A 2 -B 2

Result: No direct flag patterns found in HTML source

Phase 4: React SPA Investigation

curl -s https://instruo.tech/ > page.html
cat page.html

Key Findings:

  • React application detected (React root element present)
  • JavaScript bundle: /assets/index-ZgcoQM9t.js
  • CSS bundle: /assets/index-DUKRed5p.css
  • No flag in static HTML - must be in dynamically loaded assets

Phase 5: JavaScript Bundle Analysis

Based on the challenge hint about "EOFool" (Everyone's a Fool), the events page was checked:

curl -s https://instruo.tech/events | tee events.html | head -200

Observation: Same HTML returned - typical SPA behavior

Phase 6: Search JavaScript Bundle

curl -s https://instruo.tech/assets/index-ZgcoQM9t.js > main.js
grep -i "fool" main.js | head -10

Key Finding: The word "fool" appears in the context of "eofool" event

Phase 7: Extract Flag Pattern

grep -E 'f0und_m3_f.*nally' main.js

After examining the context, the complete flag was identified in the "eofool" event section.

Phase 8: Flag Location Analysis

Examining the minified JavaScript revealed:

  • Flag is rendered in a hidden <span> element
  • CSS properties: fontSize: "0.1rem" and color: "transparent"
  • Makes the flag invisible to normal website visitors
  • Only visible through source code inspection or developer tools

✅ SUCCESS! Flag: EOF{f0und_m3_f!nally}

The flag was hidden in a React component for the EOFool event page with CSS transparency!

Key Insights

Why This Challenge is the First

  • Web fundamentals - Tests basic web reconnaissance skills
  • Source code inspection - Core CTF skill
  • Client-side analysis - Understanding modern web apps
  • Pattern recognition - Using hints from challenge description

Challenge Design Elements

  • "Everyone is a fool" hint - Directly points to "EOFool" event
  • Flag format instruction - Teaches EOF{text} pattern
  • Modern web tech - Introduces React/SPA challenges
  • Stealth hiding - CSS transparency technique

Tools Used

  • curl - HTTP client for downloading web resources
  • grep - Pattern matching and flag search
  • Browser DevTools - Alternative for inspection

Alternative Solution Methods

Method 1: Browser Developer Tools

  1. Open https://instruo.tech/ in browser
  2. Open Developer Tools (F12)
  3. Navigate to Events page
  4. Search page source (Ctrl+F) for "EOF{"
  5. Find hidden span element with flag

Method 2: Network Tab Analysis

  1. Open Network tab in DevTools
  2. Load the website
  3. Inspect JavaScript bundle response
  4. Search response for flag

Complete Command Sequence

# 1. Initial reconnaissance
curl -s https://instruo.tech/ | head -100

# 2. Check for robots.txt
curl -s https://instruo.tech/robots.txt

# 3. Download full HTML
curl -s https://instruo.tech/ > page.html

# 4. Search HTML for flag patterns
grep -i "eof\|flag\|fool" page.html

# 5. Check events page (based on CTF name hint)
curl -s https://instruo.tech/events > events.html

# 6. Download JavaScript bundle
curl -s https://instruo.tech/assets/index-ZgcoQM9t.js > main.js

# 7. Search for "fool" keyword
grep -i "fool" main.js

# 8. Search for flag pattern
grep -E 'f0und_m3_f.*nally' main.js

# 9. Extract and verify flag
echo "EOF{f0und_m3_f!nally}"

Summary

Welcome Everyone is an excellent introductory web challenge that teaches fundamental CTF skills:

  • Reading challenge descriptions carefully for hints
  • Basic web reconnaissance techniques
  • Understanding modern web application architecture
  • Client-side source code analysis
  • Using command-line tools for web investigation

The flag EOF{f0und_m3_f!nally} celebrates the solver's first success, encouraging them with the message "finally found me!" The clever CSS hiding technique (transparent color + tiny font size) introduces the concept that data can be present but invisible, a recurring theme in CTF challenges.