The Challenge

The Solution

So the mention of Google not finding something is a pretty obvious hint towards robots.txt. So let’s check it out.

Well that looks pretty useless.

Unless it’s encoded or hashed.

Because of the fact there’s multiple letters that aren’t A-F and also numbers, I’m gonna take a guess that this is base64. I’m gonna copy all the disallows into a text file.

Now let’s use cut to get all the data out.

Now let’s decode that bad boy with base64.

So it’s uh… not base64.

Well, it is a folder list. Maybe one of these folders has the flag?

Let’s use dirb and use the wordlist we generated to see which folder(s) exist.

Alright. Got a hit. Let’s navigate there…

Got’em.