In hindsight this challenge was misplaced a bit in the entire CTF. It should have been more at the start the CTF then near the middle. It is an exercise in recon and knowledge of web structures.

You will learn:

  • What robots.txt files are


The challenge starts with only a fun fact.

Figure 1: Start screen for the challenge

There are many robots on the internet. The most famous is the Google bot that crawls the entire internet in search for content. In order to control what a robot can and can not do the internet standards defined a robots.txt. The file can be retrieved from /robots,txt on the challenge site.

# robots.txt generated by
User-agent: *
Disallow: /
Disallow: /cgi-bin/

Disallow: /encryption/is/a/right
Disallow: /fnagn/unf/znal/cynprf/gb/tb

It contains a few lines, first it says that User-agent must match *, so everyone, and then it lists the rules below. What follows are several Disallow lines. This means that the robot is not allowed to visit those resources.

The user /encryption/is/a/right leads to a page that lists a Base64 string.


Decoding the text using a tool such as CyberChef is trivial, CyberChef will even suggest to decode it for you. It reads the following text:

Encoding and encryption are 2 different things.

This might, or might not be, a hint. Spoiler alert, it is an hint. But for now we can not do much more. Lets take a look at the 2nd url /fnagn/unf/znal/cynprf/gb/tb.

Figure 2: Oh the places you’ll go

This is a reference to my favorite poem; “Oh, the places you’ll go” by dr Suess. There is an excellent version of it that was recorded at Burning Man. The video is here.

At this point you might be a little lost, just like in the poem. The clue on the page is that you might have read it wrong. You might reverse it, transpose it or apply other logic to the url. Then you might think about the ROT13 shift cipher.

Using CyberChef to ROT13 this text will lead to the url /santa/has/many/places/to/go/. When you visit that page a flag will be shown.

Figure 3: The flag

Grab your points and your badge.


