truesapiens

Built to make you extraordinarily productive. truesapiens is the best CTF platform for hackers.

Start Hacking →Browse Challenges

recon — zsh — 92×24recon — zsh

$ subfinder -d target.io

✓ 184 subs

$ httpx -mc 200

✓ 142 alive

$ katana -d 3 -jc

✓ 8.9k urls

$ nuclei -severity med

⚠ 4 critical

$ █

user@truesapiens~$ subfinder -d target.io -silent | tee subs.txt

✓ 184 subdomains enumerated

user@truesapiens~$ cat subs.txt | httpx -mc 200 -t 80 | tee alive.txt

✓ 142 alive hosts

user@truesapiens~$ katana -list alive.txt -d 3 -jc -kf all | tee urls.txt

✓ 8,914 endpoints crawled

user@truesapiens~$ cat urls.txt | grep -E "\.(js|json)" | tee js.txt

✓ 612 JS / JSON files

user@truesapiens~$ nuclei -l alive.txt -t technologies -severity low,med | tee nuclei.txt

⚠ 27 findings · 4 critical

user@truesapiens~$ gau target.io | gf xss | dalfox pipe --skip-bav | tee xss.txt

✓ 9 XSS candidates verified

user@truesapiens~$ █

13:37

Supported by

GitHub

Sentry

Cloudflare

Better Auth

Neon

Next.js

Vitest

Vercel

GitHub

Sentry

Cloudflare

Better Auth

Neon

Next.js

Vitest

Vercel

Submit your flag.

Real-world CTF challenges on truesapiens.com with points, hints, and writeups.

Browse challenges →

challenges

Categories

12 solved

WEB#001 · Easy · 100 pts

Hidden in the Source

By: @truesapiens · 2 days ago

Find the password hidden in the page source of the login form.

Submit

Awaiting your flag

WEB · Easy · 100 pts⌘ Enter to submit

explorer

Files

truesapiens.com

index.html

admin/

robots.txt

api/

sitemap.xml

200 OK · 18 B

1User-agent:*
2Disallow:/admin
3Allow:/
4Sitemap:/sitemap.xml
5▸// truesapiens{whispers_in_plain_sight}
6// hint: the admin panel isn't in robots.txt either

robots.txt

🚩 1 flagLn 5, Col 3

Find the answer.

Robots.txt, sitemap, and page source — the flag is often hiding in plain sight.

Read writeups →

Learn together.

Share writeups, celebrate solves, and swap techniques with fellow hunters in the community feed.

Join community →

community

Community

Feed2 min ago

Sarah Chen· 2h · 🌐

Just dropped a writeup for "Hidden in the Source" 🔍

The flag was sitting in robots.txt this whole time. Check the Disallow entries 👇

#web #recon #robots-txt

42 8 3

142 reached

John D. The robots.txt hint was clever 👏

Aulia R. solved it! 🎉 +100 pts

Write a comment...⌘ Enter

chat

Channels

web-security-101· 24 members

Aulia R.10:24

what does Disallow: /admin mean in robots.txt?

Reza P.10:25

it tells crawlers not to index /admin

Aulia R.10:25

but humans can still visit it 😅

Reza P.10:26

exactly — that's the recon step

Dimas is typing...

Message #web-security-101

Master the craft.

Bite-sized lessons and live channel discussions — from recon basics to advanced exploitation.

Start learning →

truesapiens

Built to make you extraordinarily productive. truesapiens is the best CTF platform for hackers.

Start Hacking →Browse Challenges

recon — zsh — 92×24recon — zsh

$ subfinder -d target.io

✓ 184 subs

$ httpx -mc 200

✓ 142 alive

$ katana -d 3 -jc

✓ 8.9k urls

$ nuclei -severity med

⚠ 4 critical

$ █

user@truesapiens~$ subfinder -d target.io -silent | tee subs.txt

✓ 184 subdomains enumerated

user@truesapiens~$ cat subs.txt | httpx -mc 200 -t 80 | tee alive.txt

✓ 142 alive hosts

user@truesapiens~$ katana -list alive.txt -d 3 -jc -kf all | tee urls.txt

✓ 8,914 endpoints crawled

user@truesapiens~$ cat urls.txt | grep -E "\.(js|json)" | tee js.txt

✓ 612 JS / JSON files

user@truesapiens~$ nuclei -l alive.txt -t technologies -severity low,med | tee nuclei.txt

⚠ 27 findings · 4 critical

user@truesapiens~$ gau target.io | gf xss | dalfox pipe --skip-bav | tee xss.txt

✓ 9 XSS candidates verified

user@truesapiens~$ █

13:37

Supported by

GitHub

Sentry

Cloudflare

Better Auth

Neon

Next.js

Vitest

Vercel

GitHub

Sentry

Cloudflare

Better Auth

Neon

Next.js

Vitest

Vercel

Submit your flag.

Real-world CTF challenges on truesapiens.com with points, hints, and writeups.

Browse challenges →

challenges

Categories

12 solved

WEB#001 · Easy · 100 pts

Hidden in the Source

By: @truesapiens · 2 days ago

Find the password hidden in the page source of the login form.

Submit

Awaiting your flag

WEB · Easy · 100 pts⌘ Enter to submit

explorer

Files

truesapiens.com

index.html

admin/

robots.txt

api/

sitemap.xml

200 OK · 18 B

1User-agent:*
2Disallow:/admin
3Allow:/
4Sitemap:/sitemap.xml
5▸// truesapiens{whispers_in_plain_sight}
6// hint: the admin panel isn't in robots.txt either

robots.txt

🚩 1 flagLn 5, Col 3

Find the answer.

Robots.txt, sitemap, and page source — the flag is often hiding in plain sight.

Read writeups →

Learn together.

Share writeups, celebrate solves, and swap techniques with fellow hunters in the community feed.

Join community →

community

Community

Feed2 min ago

Sarah Chen· 2h · 🌐

Just dropped a writeup for "Hidden in the Source" 🔍

The flag was sitting in robots.txt this whole time. Check the Disallow entries 👇

#web #recon #robots-txt

42 8 3

142 reached

John D. The robots.txt hint was clever 👏

Aulia R. solved it! 🎉 +100 pts

Write a comment...⌘ Enter

chat

Channels

web-security-101· 24 members

Aulia R.10:24

what does Disallow: /admin mean in robots.txt?

Reza P.10:25

it tells crawlers not to index /admin

Aulia R.10:25

but humans can still visit it 😅

Reza P.10:26

exactly — that's the recon step

Dimas is typing...

Message #web-security-101

Master the craft.

Bite-sized lessons and live channel discussions — from recon basics to advanced exploitation.

Start learning →