Rating:

Here, the task name and hint seemed indicate that the
[User-Agent header](https://en.wikipedia.org/wiki/User_agent) is involved. Sure
enough, if we check the site and follow the link to `/flag`, we get the
following error (abbreviated here) :

```
You're not google! Mozilla/5.0 [...]
```

This tells us two things :

1. The app is looking at our user agent (since it's displayed in the error)
2. It's expecting "Google"

Now the way Google indexes websites is that it has bots crawling the web. Those
bots are "polite", which means among other things that they correctly indicate
their identity (as opposed to trying to pass for a regular browser). We can assume
that what is expected here is Google Bot user agent.

A quick search for "googlebot user agent" yields the following page :
[Google crawlers (user agents)](https://support.google.com/webmasters/answer/1061943?hl=en).

As indicated, Googlebot is the most common Google crawler, so let's use it's user agent :

```
Mozilla/5.0 (compatible; Googlebot/2.1; +http://www.google.com/bot.html)
```

Requesting `/flag` again, this time using that user agent (I used
[Burp suite](https://portswigger.net/burp)'s proxy and repeater, but there are
other ways to do that) we get the flag : `picoCTF{s3cr3t_ag3nt_m4n_ed3fe08d}`

Original writeup (http://blog.iodbh.net/picoctf2018-web-secret-agent.html).