Difficulty: Easy | Category: Web

A short but satisfying challenge that teaches one of the most overlooked recon habits in web pentesting, checking robots.txt. The flag is hiding in a place developers use to hide things from search engines. The irony writes itself.

Phase 1 — Land on the App and Start Poking Around

Navigate to the target:

http://MACHINE_IP:5000

You’ll see a landing page — Love Letters Anonymous, a secret valentine message board. Before clicking anything, do what every good pentester does first — check the files the web server exposes by default.

Phase 2 — Check robots.txt

robots.txt is a file web servers use to tell search engine crawlers which pages not to index. Developers sometimes use it to hide sensitive directories from Google — not realising it's a publicly accessible file that anyone can just... read.

http://MACHINE_IP:5000/robots.txt

The file reveals two things:

User-agent: *
Disallow: /cupids_secret_vault/*

# cupid_arrow_2026!!!

That Disallow line is telling crawlers to stay away from /cupids_secret_vault/ — which of course means we're going there immediately. And that comment? That's a password sitting in a publicly readable file.

Why this matters: robots.txt is not a security control. It's a polite suggestion to bots, not a restriction on humans. Anything listed in it is still fully accessible to anyone with a browser. Leaving credentials in comments here is like locking your front door and taping the key to it.

Phase 3 — Access the Secret Vault

Navigate directly to the disallowed path:

http://MACHINE_IP:5000/cupids_secret_vault/

The page says:

“You’ve found the secret vault, but there’s more to discover…”

That’s a hint. The vault exists but there’s something deeper inside. Time to enumerate further.

Phase 4 — Directory Enumeration with Dirsearch

The vault landing page doesn’t do much on its own. There might be subdirectories hidden under it that aren’t linked anywhere. Run dirsearch to find them:

Get Hibullahi AbdulAzeez’s stories in your inbox
Join Medium for free to get updates from this writer.
Remember me for faster sign in
dirsearch -u http://MACHINE_IP:5000/cupids_secret_vault/

Dirsearch finds a hit:

[200] /cupids_secret_vault/administrator

A 200 status means the page exists and loads successfully. Navigate to it.

What is dirsearch? It’s a tool that rapidly tries thousands of common directory and file names against a web server to discover hidden paths. Think of it as knocking on every door in a building to see which ones open — even if there’s no sign on them.

Phase 5 — Login with Credentials Found in robots.txt

The /administrator path presents a login form — Cupid's Vault, asking for a username and password.

You already have everything you need. Remember that comment from robots.txt?

• Username: admin
• Password: cupid_arrow_2026!!!

Submit — and you’re in.

The page greets you:

“Congratulations! You’ve discovered Cupid’s secret vault and found the hidden treasure of love!”

THM{l0v3_is_in_th3_r0b0ts_txt}

The flag name literally tells you where the secret was hiding all along.

Full Attack Chain

Visit the web app
        ↓
Read robots.txt → disallowed path + password hidden in a comment
        ↓
Navigate to /cupids_secret_vault/ → "more to discover" hint
        ↓
Dirsearch → finds /cupids_secret_vault/administrator
        ↓
Login: admin : cupid_arrow_2026!!!
        ↓
Flag captured

Key Takeaways

• Always check robots.txt first. It's designed to hide paths from Google, not from attackers — and it does neither reliably.
• Comments in public files are not private. Every line of a publicly accessible file is fair game, including comments meant for developers.
• Directory enumeration reveals what the UI doesn’t link to. The /administrator page had no visible link anywhere on the site — dirsearch found it in seconds.
• Credentials left in web-accessible files are critical vulnerabilities. Even if the path had been less obvious, that password comment alone is a severe finding.

Happy Ethical Hacking — always practice in authorized environments only.