BroncoCTF 'Lovely Login' Challenge Solved via robots.txt Leak, Not Injection
A Capture The Flag web challenge called 'Lovely Login' featured a login form backed by an Express API that appeared vulnerable to NoSQL operator injection, but server-side type-checking blocked all such attempts. The real vulnerability was discovered through standard web reconnaissance: the site's robots.txt file contained a disallowed path pointing to an internal documentation page at /security, along with a base64-encoded string that decoded to a list of valid usernames. The /security page revealed that user passwords were simply the reverse of their usernames — a predictable, non-random derivation scheme. Combining the decoded username list with this logic immediately produced valid credentials for the admin account. The root cause was twofold: sensitive internal notes were left publicly accessible in production, and robots.txt was mistakenly relied upon as an access control mechanism rather than a mere crawler directive.
This is an AI-generated summary. ShortSingh links to the original source for the complete article.

Discussion (0)
Log in to join the discussion and vote.
Log in