Rating:

## Description

The flag is somewhere on this web application not necessarily on the website. Find it.

Check [this](http://saturn.picoctf.net:65442/) out.

## Solution

The challenge name seems to be either an allusion to the text font Roboto or /robots.txt (see [this writeup](https://github.com/FlyN-Nick/picoGymWriteups/blob/main/Web%20Exploitation/Where%20are%20the%20robots/Where%20are%20the%20robots.md)). As investigating the text font files seems more complicated, let's first look at /robots.txt. There, we find this:


User-agent *
Disallow: /cgi-bin/
Think you have seen your flag or want to keep looking.

ZmxhZzEudHh0;anMvbXlmaW
anMvbXlmaWxlLnR4dA==
svssshjweuiwl;oiho.bsvdaslejg

The text above disallow looks suspicious. The double equal sign suggests that it's base 64. However, if we try to decode it with an [online decoder](https://www.base64decode.org/), it seems like the base 64 is a little malformed. As the base 64 text spans across three lines, it suggests that it is actually three separate strings. If we decode each line separately, we find that the second line gives us a valid path, specifically js/myfile.txt. If we navigate to the suburl, we get the flag.