Secrets Behind the Screens: A Housekeeping Mystery
Scenario
You’ve been contracted as an external consultant to assess the digital infrastructure of Clean & Tidy Services, a premium housekeeping and cleaning company. While the website presents a sleek, professional interface, your mission is to dig deeper into the system and uncover potential misconfigurations or hidden information.
✅ Questions
1. How many paths are not allowed to be indexed by search engines?
Websites often use a robots.txt file to instruct search engines on which pages or directories should not be indexed. This file, typically located at http://<website>/robots.txt, can sometimes reveal sensitive paths.
We navigate to http://132.145.13.96:9994/robots.txt and find the following content:
User-agent: *
Disallow: /private/
Disallow: /hidden-files/
Disallow: /admin/This tells search engines not to index the following three directories:
/private//hidden-files//admin/
Thus, the answer to this question is 3 paths.
Answer: 3
2. Which path gives access to the admin panel?
Since the robots.txt file lists three directories, we attempt to access each one directly in a browser:
/private/→ Returns an Internal Server Error (500)./hidden-files/→ Also returns an Internal Server Error (500)./admin/→ Successfully loads an Admin Login Page.
From this, we confirm that the admin panel is accessible at /admin/.
Answer:
/admin/
3. What are the credentials to access the admin panel?
Once at the admin login page, we try common default credentials:
admin:admin❌admin:123456❌admin:password✅ Success!
Using admin:password, we successfully log into the panel.
Answer:
admin:password
4. What is the flag?
After logging in, we are presented with an administrative dashboard. Scanning through the panel, we find a message displaying the flag.
The flag is now successfully retrieved.