Huntress CTF 2025 - RFC-9309
A warm-up web challenge from Huntress CTF 2025 involving RFC 9309 and discovering a hidden flag within a robots.txt file.
Huntress CTF - RFC-9309
Category: Warm-up
Description: “Sorry. You know every CTF has to have it.”
Introduction
In this write up covers the RFC-9303 Challenge from the 2025 Huntress CTF. Huntress CTF is a yearly CTF hosted by Huntress every October to celebrate cybersecurity awareness month, containing dozens of different challenges ranging from OSINT, to forensics, to full on web application penetration testing, and many more. To see my other write ups for this years CTF Click here.
Background
Before solving the challenge, it’s useful to know what “RFC 9309” even means. RFCs, or Requests for Comments, are formal technical documents published by the Internet Engineering Task Force (IETF) that officially describe internet protocols and technologies for standardization purposes. RFC 9309 specifically defines the standard for the robots.txt protocol, which websites use to define rules for how automated web crawlers (such as search engine bots) are allowed to interact with the site. For example, the robots.txt file can defines rules on which directories web crawlers allowed to access, which types of web crawlers are allowed on the site, and which tile types the webcrawler is allowed to view (.html,.png, etc).
Solving the challenge
After starting the challenge’s web instance and connecting to it we were taken to https://9888662f.proxy.coursestack.com/, which contained the aforementioned RFC 9309 document. There were no hints given for this challenge, but based off of the contents of the webpage it was clear that this challenge had something to do with robots.txt. Since robots.txt is usually at the root directory of a webpage I proceeded to visit https://9888662f.proxy.coursestack.com/robot.txt to view the file. The file seemed empty, however a quick search for the word “flag” revealed the challenged flag hidden deep in the document.
Conclusion
This challenge wasn’t the most difficult thing in the world, which was expected from a warm-up challenge. However, it was a nice introduction into what Huntress CTF is all about, playing into the whole “cybersecurity awareness month” vibe by introducing us to RFCs and robots.txt while also throwing in a nice little puzzle for us to solve and find a flag.