CTF Writeup: Commented Out
Platform: HackLido learn
Category: Web Security
Points: 100
Difficulty: easy
—
Introduction
This challenge is called “Commented Out” and falls under the Web Security category. The name itself is a big hint. In web development, developers often leave comments in their code during development and sometimes forget to remove them before deploying to production. This challenge teaches us that HTML comments are visible to anyone who views the page source, even though they are not displayed in the browser.
—
Challenge Description
The challenge description says:
“The developer left comments before deployment.”
We are given a URL: https://ghostwhite-zebra-303512.hostingersite.com
Flag format: HackCTF{...}
—
Reconnaissance
The first step was to visit the given URL. The website showed a simple “Site Under Maintenance” page with the following message:
“Our developers are working hard. Please check back later!”
“Note: Search engines are currently blocked from indexing this site for privacy.”
The page looks completely normal in the browser. There is nothing visible that gives away the flag. But the challenge name “Commented Out” is a direct hint that we need to look inside the HTML source code for hidden comments.
—
Finding the Flag
Step 1: View Page Source
The most important technique in this challenge is viewing the raw HTML source code of the page. In a browser, when you visit a website, it only shows you the rendered output. HTML comments are never displayed on the actual page. However, anyone can view the raw source code by pressing Ctrl+U or by typing view-source: before the URL.
view-source:https://ghostwhite-zebra-303512.hostingersite.com
Step 2: Search for Comments
After opening the page source, we searched for HTML comments using Ctrl+F and searched for <!--. HTML comments follow this format:
<!-- this is a comment -->
Inside the page source, we found that the developer had left a comment containing the flag:
<!-- TODO: Remove flag before production! HackCTF{r0b0t5_4r3_n0t_4_53cur1ty_f34tur3} -->
The developer forgot to remove this comment before deploying the website. This is a very common mistake in real world scenarios as well.
—
Flag
HackCTF{r0b0t5_4r3_n0t_4_53cur1ty_f34tur3}
—
Decoding the Flag
The flag uses leetspeak which is a common style in CTF challenges where letters are replaced with numbers:
| Leet | Normal |
|---|
| r0b0t5 | robots |
| 4r3 | are |
| n0t | not |
| 4 | a |
| 53cur1ty | security |
| f34tur3 | feature |
So the flag translates to: “robots are not a security feature”
This is the core lesson of this challenge.
—
Key Takeaways
HTML comments are not hidden. Many beginner developers think that because comments are not visible on the webpage, they are safe. This is completely wrong. Anyone can press Ctrl+U and see every single comment inside the HTML source code.
Never leave sensitive information in comments. Whether it is in HTML, JavaScript, CSS, or any configuration file, comments that contain passwords, flags, API keys, or any sensitive data should always be removed before deployment.
Always review your code before deployment. A simple code review before pushing to production can prevent these kinds of information leaks.
—
Tools Used
- Browser (Chrome/Firefox)
- View Page Source (Ctrl+U)
—
Conclusion
This was a beginner level web security challenge that teaches one of the most fundamental concepts in web security: information disclosure through HTML comments. The challenge was solved simply by viewing the page source and finding a developer comment that was never removed before production deployment. The lesson here is clear: HTML comments are publicly visible and should never contain any sensitive information. @Hacklido #wrap
