Note: If you're interested in actually doing these challenges, check out this post on how to get the environment set up.

Our WebSec foo tells us we should have a look in robots.txt. Not only that, but the title does give this one away - Bots.

GET /robots.txt HTTP/1.1

User-agent: *
Disallow: /admin
Disallow: /backup
Disallow: /protected

Lets take a look in these.

  • /admin - Nothing here, just a picture
  • /backup - Nothing here, just another picture
  • /protected - Reveals the flag FLAG{1b000000000000000000000000000000}