Flash CTF – Treasure Map

June 25, 2025
Challenge Writeups
1 min read

Web Exploitation — Difficulty ★☆☆

Challenge Brief

We’re given a small pirate-themed web site called The Digital Buccaneer. Nothing in the main navigation mentions a flag, but the description hints that “every ship keeps a map of its territory” and nudges us toward looking for a sitemap file.

Our goal is simple: Find the hidden page that contains the flag.

Initial Recon

Open the root of the site in a browser (or with curl) and click around. Doing so, you’ll find the following pages:

  • / – landing page
  • /crew/ship/history – informational pages

Nothing stands out, so we move on to common “well-known” discovery files that sites often leave lying around. A quick word-list scan, (or manual guess), for sitemap.xml (as hinted many times on the website) pays off:

$ curl -s http://digitalbuccaneer.chals.mctf.io/sitemap.xml | head
<?xml version="1.0" encoding="UTF-8"?>
<urlset xmlns="http://www.sitemaps.org/schemas/sitemap/0.9">
    <url>
        <loc>http://digitalbuccaneer.chals.mctf.io/</loc>

Reading sitemap.xml

Scrolling a bit further we notice something juicy:

<!-- SECRET TREASURE LOCATION - Do not tell the crew! -->
<url>
  <loc>http://digitalbuccaneer.chals.mctf.io/treasure-chamber</loc>
  <lastmod>2024-01-15</lastmod>
  <changefreq>never</changefreq>
  <priority>0.9</priority>
</url>

The sitemap openly lists a treasure-chamber endpoint that is never linked from the UI.

Claiming the Treasure

Visit the URL we just found:

$ curl -s http://digitalbuccaneer.chals.mctf.io/treasure-chamber | grep -i metaCTF
    MetaCTF{y0u_f0und_7h3_tr34sur3_m4p_4nd_g0t_7h3_f14g}

We’ve got the flag.

MetaCTF{x_marks_the_digital_spot_matey}

An Additional Solution: robots.txt

After solving the challenge we inspected another common file, robots.txt, and found it contains a comment that literally points to the sitemap:

User-agent: *
Allow: /

# For those seeking treasure, check our sitemap!
Sitemap: http://digitalbuccaneer.chals.mctf.io/sitemap.xml

So there were actually two separate breadcrumbs:

  1. Blindly enumerating well-known files (sitemap.xml).
  2. Reading robots.txt, which in turn advertises the sitemap location.

Either path leads to the same hidden endpoint.

You may also like

Sign In

Get Started