Sundial Observatory
A small amateur-astronomy club keeps an immaculate website — calendar of star parties, log of recent sightings, list of members. The webmaster prides himself on doing things right, including a careful little file that the public is, of course, free to read.
The Scenario
The Sundial Observatory has met on the second Saturday of every month since 1987, at a converted ranger station above the Cascade Plateau. Pavel, a retired aerospace tech, runs the website out of his garage. He's allergic to leaks but believes — as a matter of principle — that asking search engines politely to stay away is the same thing as keeping a page private.
Challenge Intel
Synopsis
`/robots.txt` lists `Disallow: /members-only-2026`. That path is a real Flask route returning the AGM secretary's bulletin, with the flag in the sign-off paragraph.
What It Is
The site serves a proper robots.txt with a clear Disallow entry. The path it points at is a regular Flask route — there's no auth, no obfuscation, just no link from any rendered page. Pavel assumed "the search engines won't index it" was enough cover.
Who It's For
Brand-new players. Anyone who's never opened /robots.txt on a target. Step two of Web Fundamentals.
Skills You'll Practice
- Recon via /robots.txt and /sitemap.xml
- Understanding that Disallow is a request, not a control
What You'll Gain
- robots.txt is a directory map for attackers, not a security control
- Hidden URLs are still URLs — obscurity isn't access control
Ready to hack Sundial Observatory?
This challenge is free. Sign up and start hacking.