diff --git a/hidden/README.md b/hidden/README.md new file mode 100644 index 0000000..47d1934 --- /dev/null +++ b/hidden/README.md @@ -0,0 +1,14 @@ +# Finding the Hidden Flag + +## How We Found It +First we went throught basic analysis of the website and thought of `.robots.txt`. + +`Dissallow: /.hidden` + +We wrote a script that crawled through the website’s `.hidden` directory. It checked every subdirectory and looked for each README file, examining the byte of its content. When that byte deviated from the expected pattern, we knew we’d found the flag! + +## Utility of It +For this project, there wasn’t any real-world utility, it was just a roleplay exercise for school to learn about web crawling and threading. + +## How Can We Patch It +The easiest fix is to restrict public access to sensitive files. Don’t place secret files in directories that are directly accessible from the web. diff --git a/hidden_robot/flag b/hidden/flag similarity index 100% rename from hidden_robot/flag rename to hidden/flag diff --git a/hidden_robot/ressources/main.py b/hidden/ressources/main.py similarity index 100% rename from hidden_robot/ressources/main.py rename to hidden/ressources/main.py diff --git a/hidden_robot/README.md b/hidden_robot/README.md deleted file mode 100644 index 118e9fc..0000000 --- a/hidden_robot/README.md +++ /dev/null @@ -1,18 +0,0 @@ -# Finding the Hidden Flag - -This is a quick rundown of our school project where we hacked a website (in a controlled lab environment) to find a hidden flag. - -## What We Did - -- **Starting Point:** - We began at the `.hidden` directory, which was kept out of search engines by the `robots.txt` file. - -- **How It Worked:** - We built a script that went through each subdirectory looking for a README file. It checked the last byte of the file to spot any unusual values. If the byte didn't match the normal pattern, we knew we had found the flag. - -- **Speeding Things Up:** - We used multi-threading so that multiple pages could be checked at once, which made the process much faster. - -## Takeaway - -This project taught us how to combine directory traversal with threading and basic HTML parsing to uncover hidden information. Check out the repo for the full code!