Front Matter
A small literary press that hand-typesets every edition. The colophon page reads like a love letter to bookbinding — and it leaks something the team forgot they shipped.
The Scenario
Front Matter is an indie publisher run by Iona Brecht out of a print workshop in Lyon. Each title carries a long colophon naming the typeface, the paper stock, and the producer. A reader emailed to say the colophon source looked "chatty." Start at the storefront, read the production notes, and see what the producer left in the markup.
Challenge Intel
Synopsis
An HTML comment on the colophon page references an internal build endpoint that's still live.
What It Is
The /colophon page contains an HTML comment left in by a developer noting an internal build endpoint (`/api/internal/build`) that was "supposed to be removed at deploy time." The endpoint is still routed in the Flask app and returns the contents of the FLAG environment variable in plain text. No auth, no rate limit — the comment is the whole leak.
Who It's For
Players who have used view-source / dev-tools comment-mining but haven't yet built the habit of reading every page's raw markup before moving on.
Skills You'll Practice
- Inspecting raw HTML for developer comments
- Mapping a leaked endpoint to a live route
What You'll Gain
- A reflex for opening view-source on every page during recon
- Awareness that 'delete the route from the menu' is not a fix
Ready to hack Front Matter?
Upgrade to Pro to unlock this challenge and the full library.