PicoCTF 2023: MatchTheRegex

The Match the Regex challenge presented a web page with a text input field and a submit button. The objective was to input a string that matched a hidden regular expression to retrieve the flag.

Step-by-Step Walkthrough

1. Inspecting the Source Code

The first step was to inspect the source code of the webpage to understand the underlying logic. The relevant JavaScript code was found within a <script> tag:

<script>

function send_request() {

let val = document.getElementById("name").value;

// ^p.....F!?

fetch(`/flag?input=${val}`)

.then(res => res.text())

.then(res => {

const res_json = JSON.parse(res);

alert(res_json.flag)

return false;

})

return false;

}

</script>

The key part of the code was the commented line: // ^p.....F!?

This comment indicated a regular expression that the input value must match:

• ^ ; asserts the position at the start of the string.

• p; matches the character 'p'.

• ..... ; matches any five characters.

• F; matches the character 'F'.

• !? ; indicates that the ! character is optional

Given these requirements, the input picoctF was constructed

2. Retrieving the Flag

Entering (picoctF) into the text field and submitting the form triggered the send_request() function, which sent the input to the server.