Vellichor Press
A literary quarterly's homepage looks pristine, but the dev's last TODO never came down before they shipped. Some notes are louder in the source than they are on the page.
The Scenario
Vellichor Press is a six-person literary magazine that publishes four issues a year. Their new site went up last Tuesday on a tight deadline — Elias, the only engineer they have on retainer, told the editors he'd "do one more pass after launch." That pass never happened. Now the masthead looks immaculate to a reader, while a draft admin note sits where nobody scrolls.
Challenge Intel
Synopsis
A reconciliation TODO comment was left in the homepage HTML containing an internal reference string. View Source / DevTools Elements reveals it.
What It Is
The Flask `templates/home.html` ends with an HTML comment block that the developer left behind. The comment contains a fake admin shortcut URL and the flag as an "internal reconciliation reference." Browsers don't render `<!-- ... -->`, so the page looks clean — but Ctrl-U on the page, or DevTools → Elements → expand to the end of `<body>`, shows the comment verbatim. The flag is the second half of the comment block.
Who It's For
Brand new web hackers. Anyone who hasn't yet learned that what the browser renders is not what the server sent. Step one of the recon module.
Skills You'll Practice
- Using View Source / Ctrl-U on a rendered page
- Reading the raw HTML response in DevTools
- Recognising that HTML comments survive transit
What You'll Gain
- The browser's DOM is one view of the source — the source itself is the ground truth
- Comments are a real-world leak path. Strip them in production.
Ready to hack Vellichor Press?
This challenge is free. Sign up and start hacking.