Note: If you're interested in actually doing these challenges, check out this post on how to get the environment set up.
Our WebSec foo tells us we should have a look in robots.txt. Not only that, but the title does give this one away - Bots.
Lets take a look in these.
/admin- Nothing here, just a picture
/backup- Nothing here, just another picture
/protected- Reveals the flag