Pebble & Pine
A small-batch ceramics shop has a beautiful catalogue and a story about the studio in the woods. They also have an analytics script that someone wrote on a Sunday and forgot to circle back to.
The Scenario
Pebble & Pine is run by Marit and her partner Sasha out of a studio at the back of a kiln barn in the lower Catskills. They sell four to seven mugs at a time, in seasonal "runs," and ship them wrapped in linen. Marit wrote the website herself, with the help of her brother who works in advertising and "knows just enough JavaScript to be dangerous." The analytics file is his.
Challenge Intel
Synopsis
`/static/js/analytics.js` is loaded from every page. The file contains a const string `INTERNAL_REF = "WEBVERSE{...}"` buried in a block of realistic-looking analytics noise.
What It Is
The site's base template includes a `<script src="/static/js/ analytics.js">` near the bottom of the body. The JS file is deliberately written to look like a real lightweight analytics pixel — page-view ping, scroll-depth, debounced beacon — and one constant near the bottom of the file holds the flag.
Who It's For
Players who can use View Source and have heard of DevTools → Sources but haven't yet thought to read JavaScript files.
Skills You'll Practice
- Reading JavaScript loaded by a page
- Using DevTools → Sources or curl on a /static/*.js path
What You'll Gain
- Bundled / inline JS is part of your attack surface — read it
- Constants in client-side code are public no matter how they're named