webfreeeasy

Treasure Hunt

tjctf

Task: Web reconnaissance challenge with flag split into 4 parts hidden across HTML source, HTTP headers, and standard web files. Solution: Inspect page source for hidden <p> tag, check robots.txt for disallowed endpoints, and analyze Set-Cookie header from POST form submission.

$ ls tags/ techniques/

http_cookies web_reconnaissance robots_txt multi_part_flag gunicorn beginner hidden_html set_cookie_header

html_source_inspectionrobots_txt_enumerationhttp_header_analysispost_form_submission_analysis

$ cat /etc/rate-limit

Rate limit reached (20 reads/hour per IP). Showing preview only — full content returns at the next hour roll-over.

Treasure Hunt — TJCTF 2026

Description

Let's go hunt down some treasure! The flag is split into 4 parts. I'll give you the first one right here: tjctf

English summary: A pirate-themed web page at https://treasure-hunt.tjc.tf running on gunicorn (Python WSGI). The flag is split into 4 parts hidden in different standard web locations. The first part is given in the challenge description.

Analysis

The main page is a pirate-themed site with a ship image and a "Learn More" button (POST form). The server runs gunicorn. Standard web reconnaissance locations need to be checked: HTML source, HTTP headers, robots.txt, and common endpoints.

Key observations:

The page has a hidden HTML element not visible in the rendered page
The "Learn More" button triggers a POST request that redirects to /extra_info (a red herring with a penguin image)
The POST response includes a Set-Cookie header with a flag fragment
robots.txt disallows a /gold-coffer endpoint

Solution

Part 1: Challenge Description → `tjctf`

Given directly in the challenge text.

Part 2: Hidden HTML Element → `_and_`

Viewing the page source reveals a hidden paragraph tag:

curl -s https://treasure-hunt.tjc.tf

<p hidden>_and_</p>

This element is not rendered by the browser but is visible in the HTML source.

Part 3: Set-Cookie Header → `{s1lv3r`

Submitting the POST form (clicking "Learn More") and inspecting the response headers:

curl -sv -X POST https://treasure-hunt.tjc.tf 2>&1 | grep -i set-cookie

Set-Cookie: silver_coffer={s1lv3r; Path=/

...

$ grep --similar

Similar writeups

[web][Pro]Приключение с флагом (Flag Adventure)— hackerlab
[web][Pro]Web-полигон (Web Polygon)— duckerz
[web][Pro]Прятки (Hide and Seek)— hackerlab
[web][Pro]Commentary— scarlet
[web][Pro]SWE Intern at Girly Pop Inc — Writeup— scarlet