Coltsfoot Community Center
The Coltsfoot Community Center has run pottery, woodshop, yoga, and mahjong classes since 1974. The members-only side of the site is the front door — but it's not the only door.
The Scenario
Coltsfoot is run by a three-member board of retirees who took over the operations site from a volunteer web-developer in 2019. Classes start at $12, the board meets the first Tuesday of every month, and the daily totals are reconciled on a Square reader in the back office. The "staff side" of the site, the board insists, has always been hidden — no one outside the building has ever needed it.
Challenge Intel
Synopsis
/staff/dashboard has no auth check and is leaked via /robots.txt. Navigating directly to /staff/dashboard renders the daily-totals admin card with the flag in the "Reconciliation reference" pill.
What It Is
The Flask route `/staff/dashboard` carries no `@login_required` decorator and performs no role check — it renders for any visitor who hits the path. The site's `/robots.txt` advertises `Disallow: /staff/`, exposing the directory to anyone who reads the file. This is the canonical "PortSwigger-style" unprotected admin functionality lab planted via a robots.txt breadcrumb.
Who It's For
Brand-new players. The introductory IDOR / broken-access-control challenge — no tooling beyond a browser. Players who understand that `robots.txt` is a public hint file solve it in under a minute.
Skills You'll Practice
- Reading /robots.txt as a recon source
- Recognising that 'hidden' is not 'access-controlled'
- Direct-path navigation to discover unprotected admin routes
What You'll Gain
- Robots.txt is a public file, not a security boundary
- Every admin route needs an explicit server-side access check
- Path obscurity does not protect sensitive functionality
Ready to hack Coltsfoot Community Center?
This challenge is free. Sign up and start hacking.