Step 1: Browse to the URL
We’re given the URL and it leads to a fairly basic page with no functionality.
Step 2: robots
robots.txt is a text file placed on the root directory of a website and it tells search engines not to crawl certain pages (or allows crawling of certain pages). So after viewing this, we can see a directory called /cupids_secret_vault/*
You can guess where we’re going next!
Step 3: Cupid’s Secret Vault
Again we come across a page with no functionality. This time, we’ll need to brute-force the directories with dirb.
Step 4: dirb
A basic dirb http://<ip:port/directory/ command found that there was a directory called ‘administrator’
Step 5: admin panel
We arrive at the admin panel.
I didn’t know what the username was, but since this was the ‘admin’ panel, I decided to use ‘admin’ for the username and the cupid_arrow_2026!!! from robots.txt for the password:
This let me in and granted me the flag!
Thanks for reading!
🍺 Quick message to readers: if my writeups help you, please consider a small donation to my buymeacoffee link here. This is not required but is very much appreciated! 🍺
