// Recon · Enumeration · Web Security

Westbrook Academy CTF Lab

Use GoBuster and manual inspection to discover hidden pages and capture flags across the Westbrook Academy website.

Live Target
🚩 25 Flags · 350 pts
🛠 Kali Linux + GoBuster
0
Objective & Learning Goals
🎯 Mission Brief

You are performing a simulated reconnaissance exercise against the Westbrook Academy website. Your goal is to use GoBuster and manual inspection techniques to discover hidden pages and capture flags planted throughout the site.

Each flag is in the format FLAG{...} and must be submitted at the flag submission portal.

🔗
📋 Learning Objectives
1
Perform directory enumeration using GoBuster
2
Interpret and exploit information exposed in robots.txt
3
Inspect HTML page source code for hidden comments
4
Identify exposed credentials and sensitive data in web pages
5
Recognize insecure development artifacts such as staging configs and backup files
6
Understand open directory listings as a security misconfiguration
7
Connect recon findings to real-world OWASP vulnerabilities
🛠 Tools Required
ToolNotes
Kali LinuxOr any Linux distro with GoBuster installed
GoBusterPre-installed on Kali at /usr/bin/gobuster
Web BrowserFirefox or Chromium
Wordlist/usr/share/wordlists/dirb/common.txt (pre-installed on Kali)
📖
Background Knowledge
⚡ What is GoBuster?

GoBuster is a directory and file enumeration tool used in penetration testing. It works by taking a wordlist and brute-forcing URLs against a target web server, reporting back which paths actually exist based on the HTTP response codes returned.

Understanding HTTP response codes is critical to interpreting GoBuster's output:

CodeMeaningWhat it tells you
200OKPage exists and loaded successfully
301RedirectPage exists but moved elsewhere — follow the redirect
403ForbiddenDirectory EXISTS but access is blocked — still useful!
404Not FoundPath does not exist on the server
⚠️
Key Insight: A 403 Forbidden still tells you the directory exists — that is valuable recon information even if you cannot access it directly. Don't ignore 403s!
🤖 What is robots.txt?

robots.txt is a file that web servers use to tell search engine crawlers which pages they should not index. It is publicly readable by anyone.

From a security perspective it often inadvertently reveals the names of sensitive or hidden directories — making it one of the first files a penetration tester checks.

💡
robots.txt is meant to guide well-behaved crawlers. It does not prevent humans or tools like GoBuster from accessing those paths — it just lists them out for anyone to read.
🔍 What is HTML Source Inspection?

Everything rendered by your browser is delivered as HTML. Developers often leave comments, credentials, debug notes, and other sensitive data in the HTML that is invisible on the rendered page but fully visible in the source.

HTML comments use this syntax and will never display on screen:

HTML
<!-- This is a comment — invisible on the page but visible in source --> <!-- FLAG{you_found_it} --> <!-- TODO: remove admin credentials before launch -->
⌨️
Press Ctrl+U in any browser to view the full page source. Then use Ctrl+F to search for FLAG, <!--, TODO, or password.
1
Part 1 — Manual Recon
🔍 Step 1 — Check robots.txt

Before running any tools, always start with manual checks. Navigate directly to:

URL
https://labs.professorsalazar.com/westbrook/robots.txt

Read the file carefully. Note every path listed under Disallow: — these paths exist on the server. Record your findings below:

#Disallowed PathNotes
1
2
3
4
5
6
🖥 Step 2 — View Page Source on the Main Page

Navigate to the main site:

URL
https://labs.professorsalazar.com/westbrook/

Right-click anywhere and select View Page Source or press Ctrl+U. Use Ctrl+F to search for:

FLAG <!-- TODO password admin secret
💡
Flags are hidden in HTML comments. Check the <head> section, after the <nav>, inside the footer, and at the very bottom of the page.
2
Part 2 — GoBuster Scan
⚡ Step 3 — Run GoBuster

Open a terminal in Kali Linux and run the basic scan command:

bash
gobuster dir -u https://labs.professorsalazar.com/westbrook/ \ -w /usr/share/wordlists/dirb/common.txt

For a more thorough scan (takes longer but finds more paths):

bash
gobuster dir -u https://labs.professorsalazar.com/westbrook/ \ -w /usr/share/wordlists/dirbuster/directory-list-2.3-medium.txt
⚠️
If you get a wildcard error, the server may return non-standard responses. Try adding --exclude-length <N> where N is the reported false-positive length.
📋 Record Your Scan Results

As GoBuster runs, record every path it discovers below:

#Path DiscoveredStatus CodeNotes
1
2
3
4
5
6
7
8
3
Part 3 — Investigate Pages
🕵️ Step 4 — Page Investigation Checklist

For every page GoBuster discovers, navigate to it and work through this checklist. Click each item to mark it complete.

View the page in my browser — read all visible content carefully
Open View Page Source (Ctrl+U) and read the full HTML
Search the source for: FLAG, <!--, TODO, password, key, secret
Check the <head> section — flags are sometimes hidden in meta comments
Check the very bottom of the <body> — comments are often placed there
Note any exposed credentials, usernames, API keys, or file paths
Record the flag string in the Flag Tracker (Part 4)
📌 Pages to Investigate

Make sure you investigate all of the following pages thoroughly:

/westbrook/ 4 flags
/westbrook/robots.txt 1 flag
/westbrook/admin/ 6 flags
/westbrook/dev/ 6 flags
/westbrook/backup/ 4 flags
/westbrook/staff/ 4 flags
4
Part 4 — Flag Tracker
🚩 Instructions

Record each flag as you find it. Enter where you found it and the full flag string. Click the ○ button to mark it as submitted to the portal. Submit all flags at: https://labs.professorsalazar.com/westbrook/ctf/

// Main Page ( / )
0 / 4 captured
// robots.txt ( /robots.txt )
0 / 1 captured
// Admin Dashboard ( /admin )
0 / 6 captured
// Developer Portal ( /dev )
0 / 6 captured
// Backup Directory ( /backup )
0 / 4 captured
// Staff Directory ( /staff )
0 / 4 captured
5
Part 5 — Analysis Questions
📝 Instructions

Answer the following questions based on your findings. Your responses will be discussed as a class after the lab. Use the OWASP Top 10 reference on the next section.

Q1
What information did robots.txt reveal? Why is this a security concern?
Q2
What sensitive data did you find on the /admin page? What OWASP Top 10 category does this fall under?
Q3
The /dev page contains a ticket system that documents its own vulnerabilities. What does this tell you about the development team's security practices?
Q4
The /backup directory has an open listing showing files like .env.bak and database dumps. Why is this dangerous and how would you remediate it?
Q5
A 403 Forbidden response means access is denied. Why is it still useful recon information compared to a 404 Not Found?
Q6
How could an attacker use the information on the /staff page to launch a social engineering or phishing attack?
Q7
List at least three remediation steps the Westbrook Academy IT team should take to secure this website.
💡
Hints & OWASP Reference
💡 Hints — Only Read if Stuck!
🔍 Hint 1 — I can't find any flags on the main page
Flags on the main page are not visible in the browser. You must use View Page Source (Ctrl+U) and carefully read through the HTML comments. Try Ctrl+F and search for FLAG. Check the <head> tag, just below the <nav>, inside the footer, and at the very bottom of the page.
Hint 2 — GoBuster isn't finding anything
Make sure you are using the correct URL including the trailing slash. Also try the larger wordlist at /usr/share/wordlists/dirbuster/directory-list-2.3-medium.txt. If you see a wildcard error, use --exclude-length with the reported false-positive length.
🚫 Hint 3 — I found a directory but get 403 Forbidden
A 403 means the directory exists but directory browsing is restricted. Try navigating directly to the index.html file inside it. For example, try: /westbrook/admin/index.html
💻 Hint 4 — I'm missing flags on the /dev page
Read every section of the page source carefully. Flags are hidden in the <head>, inside the displayed code blocks on the page, inside ticket card comments, and at the very bottom of the <body>.
📋 OWASP Top 10 Reference

Use this when answering the analysis questions in Part 5.

IDCategory
A01Broken Access Control
A02Cryptographic Failures
A03Injection
A04Insecure Design
A05Security Misconfiguration
A06Vulnerable and Outdated Components
A07Identification and Authentication Failures
A08Software and Data Integrity Failures
A09Security Logging and Monitoring Failures
A10Server-Side Request Forgery (SSRF)
🎉
Lab Complete!
You've worked through all sections of the Westbrook Academy recon lab.
Now submit your flags at the portal below.
🚩 https://labs.professorsalazar.com/westbrook/ctf/
// Your Flag Summary
Total Captured 0 / 25
// What to do next
1.Submit all your flags at the portal above
2.Complete your Part 5 analysis answers if not already done
3.Be ready to discuss your findings with the class