DefendTheWeb.net, previously called HackThis.co.uk, is a very famous and well-known interactive security platform where you can learn and challenge your skills.. It contains challenges from several different cybersecurity fields.
I’ve decided to have a bit of fun and try to solve every single challenge presented, from the easiest to the hardest. (although easy and hard will be different depending on your skillset and field of expertise).
As I do with any challenge website, I WILL NEVER post the flag in cleartext, as it kills the fun and thrill of finding it, however I will post my way (or ways) of getting there. This is done in respect of the website’s security and non-disclosure policy, even when it doesn’t have one ;).
Challenge Intro 7
This challenge is rated as Intro, so it might be easy to solve. The author presents us with a small description, “You couldn’t even find the password using a search engine as search bots have been excluded.” and a login/password form with a Login button.
It is obvious that we have to find the password somehow but it is hidden from search engines. There are several different ways an application can prevent search engine and search bots from viewing certain files on a website, such as meta sections, using robots.txt (blocking them by User-agent), etc.
After a while using our friend Google Chrome Dev Tools (F12) to check the code, I couldn’t find anything usefull. So after a while I found a robots.txt file in the main website (not inside the intro 7 challenge), at https://defendtheweb.net/robots.txt
User-agent: *
Allow: /
Disallow: /help/contact
Disallow: /profile/
Disallow: /extras/
Disallow: /extras/playground/jf94jhg03.txt
User-agent: Mediapartners-Google
Disallow:
Notice that we have an “/extras/playground/jf94jhg03.txt“, and there we will find our password. There we have it.
I hope you liked this one, see you on the next challenge.