Gawds CTF/ Know whats in your head

Description

Try to see whats inside your head before moving forward.

https://head.ctf.gawds.in

This challenge was filled with dummy flags and was quite frustrating.


The Challenge

Looking at the description, it looks like the answer lies within the headers.

Challenge

Like always, checking the robots.txt file, gave up the following info.

### BEGIN FILE ###

User-agent: gawds-crawler
Disallow:

### END FILE ###

From the robots.txt file, we can now infer that the User-Agent must be gawds-crawler.

Navigating to

http://swisshawk.ctf.gawds.in/flag

greets us with a Access Denied error.

Changing the method to POST also results in the same error.

I started to dig more.

I stumble upon sitemap.xml

This XML file does not appear to have any style information associated with it. The document tree is shown below.
<urlset xmlns="http://www.sitemaps.org/schemas/sitemap/0.9">
<url>
<loc>http://www.example.com/</loc>
<lastmod>2018-01-02</lastmod>
<changefreq>once</changefreq>
<priority>0.8</priority>
</url>
<url>
<loc>
http://www.example.com/53129cdb3222c675a3ab1d3763a7665e90e26aed
</loc>
<lastmod>2018-01-02</lastmod>
<changefreq>once</changefreq>
<priority>1.0</priority>
</url>
</urlset>

Visiting

https://head.ctf.gawds.in/53129cdb3222c675a3ab1d3763a7665e90e26aed

Dummy1

Checking the headers:

tryharderflag:flag{Alm0st_Reach4d_But_THis_is_A_DUmmY_Flag}

This was quite pissing off! I decided to give last and final shot.

Looking at the hash string, it seemed like a sha-1 hash.

So, I performed sha-1 hash of flag and obtained

112f3a99b283a4e1788dedd8e0e5d35375c33747

Visiting,

https://head.ctf.gawds.in/112f3a99b283a4e1788dedd8e0e5d35375c33747

You get:

Dummy2

When we check the headers, we get:

Flag: flag{G00d_W0rk_AlWys_check_f0R_headers}