The Forgotten Protocol

Challenge Description

Before WHAM-9000 achieved full autonomy, the warehouse ran on outdated documentation. Some of those old files are still publicly accessible-if you know where to look.

Flag: Raptor{flag1_s3cur1ty_m1sc0nf1g_r0b0ts_txt}

Recon

The flavor text hints at old/forgotten files still being publicly accessible. My first instinct was to check /debug directly but I got a 404.

Now, I could have pulled out katana, ffuf, or dirbuster, but I was just too lazy to open up the Kali VM at this point, so I thought about what a web crawler or search engine bot would check first: /robots.txt.

The Discovery

Navigating to /robots.txt returned a goldmine:

User-agent: *
Allow: /
Disallow: /admin
Disallow: /api/internal/
Disallow: /api/admin/
Disallow: /api/internal/debug
Disallow: /api/internal/ai-core
Disallow: /api/internal/worker-stats
Disallow: /api/internal/incidents

The robots.txt file is meant to instruct crawlers to stay away from certain paths, but it simultaneously advertises those paths to anyone reading it.

/api/internal/debug immediately caught my eye given I was already hunting for a debug endpoint.

Exploitation

Navigating directly to /api/internal/debug returned the following inside the JSON response:

{
  "maintenance_key": "Raptor{flag1_s3cur1ty_m1sc0nf1g_r0b0ts_txt}"
}

The internal debug endpoint was completely unauthenticated and exposed a maintenance key (the flag) in plaintext.

Key Takeaways

robots.txt is a suggestion to well-behaved bots. Listing sensitive endpoints in Disallow directives actively publicizes their existence to anyone who knows to check. Any endpoint worth hiding should be protected by authentication, not just omitted from a sitemap.

When doing web recon, always check the low-hanging fruit before firing up heavier tools:

1. /robots.txt
2. /sitemap.xml
3. /.well-known/
4. Source code / JS bundles for hardcoded paths