Listen to this Post

Introduction
In an era where cybersecurity skills are best forged through practical application, hands-on Capture The Flag (CTF) challenges provide the ideal training ground for aspiring offensive security professionals. Security researcher Martín Martín has launched a free, browser-based CTF lab featuring 12 progressively difficult challenges focused on reconnaissance fundamentals, requiring no local tools or complex setup—just a web browser and analytical thinking.
Learning Objectives
- Understand and apply reconnaissance techniques using publicly available information and web standards
- Develop systematic problem-solving approaches for security challenges without relying on automated tools
- Interpret and utilize technical specifications (RFCs) as attack surface indicators during initial enumeration phases
You Should Know
1. RFC 9116: The Hidden Reconnaissance Gateway
RFC 9116 defines the “security.txt” standard, which specifies a file that websites should host at `/.well-known/security.txt` to disclose vulnerability disclosure policies and security contacts. For reconnaissance, this file can reveal critical information:
What it does: The security.txt file often contains PGP keys, email contacts, and preferred disclosure methods—goldmines for social engineering or understanding an organization’s security posture.
How to use it:
Linux/macOS - Check for security.txt curl -I https://mmartin.me/.well-known/security.txt curl https://mmartin.me/.well-known/security.txt Windows PowerShell equivalent Invoke-WebRequest -Uri https://mmartin.me/.well-known/security.txt -Method Head Invoke-WebRequest -Uri https://mmartin.me/.well-known/security.txt
Step-by-step reconnaissance approach:
- Always check `/.well-known/` directories during initial web enumeration
- Document any email addresses, PGP keys, or policy statements found
3. Cross-reference discovered contacts with public breach databases
- Use PGP keys to verify legitimate security researcher identities
2. Browser-Based Reconnaissance Techniques
Modern browsers are powerful recon tools when used methodically. For the CTF challenges, leverage built-in developer tools:
What this does: Browser developer tools expose network requests, storage data, and DOM elements that may contain hidden flags or configuration details.
Step-by-step guide:
- Press F12 (or right-click → Inspect) to open Developer Tools
- Navigate to the Network tab and reload the page—observe all HTTP requests
- Check the Sources tab for JavaScript files that may contain encoded data
- Examine Storage → Local/Session Storage for cached credentials or tokens
- Use the Console to test JavaScript functions that might reveal hidden content
// Example console commands to test console.log(document.cookie); document.querySelectorAll('[bash]');
3. Directory Enumeration Without Tools
Since no external tools are permitted, manual directory brute-forcing requires creative thinking:
What this does: Systematically guessing common directory names to discover hidden endpoints.
Step-by-step manual enumeration:
1. Start with industry-standard directory names:
/admin,/backup,/config,/private,/temp, `/test`
2. Try version control exposure paths:
/.git/,/.svn/, `/.env`
3. Check for common backup file extensions:
index.html.bak,config.php~, `database.sql`
4. Use browser history prediction by typing common paths and observing 404 vs 200 responses
- Document response size differences—sometimes a 403 (Forbidden) indicates the directory exists
4. HTTP Header Analysis for Clues
HTTP response headers often leak server configurations, technologies used, and sometimes hidden flags:
What this does: Headers reveal server software, caching policies, security implementations, and custom debugging information.
Step-by-step header inspection:
Linux/macOS - View all response headers curl -I https://mmartin.me/challenge1 Windows PowerShell Invoke-WebRequest https://mmartin.me/challenge1 | Select-Object -ExpandProperty Headers
Key headers to examine:
– `Server:` – Technology stack (Apache, nginx, custom)
– `X-Powered-By:` – Often reveals PHP/ASP.NET versions
– `X-Debug-Token:` – Symfony framework debugging endpoint
– `Set-Cookie:` – Session handling mechanisms
– `X-Frame-Options:` – Clickjacking protection status
5. JavaScript Deobfuscation Techniques
Many CTF challenges hide flags in client-side scripts:
What this does: Identifies and decodes obfuscated JavaScript containing hidden data.
Step-by-step approach:
- View page source (Ctrl+U) and search for `