Author: whitesilence9220
The very first web challenge on tjctf 2026. Description: Let’s go hunt down some treasure! The flag is split into 4 parts. I’ll give you the first one right here: tjctf
And we’re being given this url also provided first part of the flag: tjctf
The site looks pretty basic with a single button going to https://treasure-hunt.tjc.tf/extra_info
Upon inspecting / we notice a hidden
tag with part of the flag in it: and
Thinking its an easy one we look at /extra_info , but there isnt much there.
Time to dig deeper and check dev tools. And BINGO we find a cookie with value: {s1lv3r
That brings us here: tjctf{s1lv3r_and_
Time to crack this one and find the last missing piece Since we’ve been lead to /extra_info and given a penguin i thought they hid the last piece inside the image. I downloaded the image and did a quick scan, its a normal png file, we can check some data in it using exiftool which didn’t show much promise, maybe strings piping into grep for ’}’ in hopes of grabing the end of a flag or just general grep to win? NO Success, i quicly tried stegonline to see if i can get anything out of it, nope it looks like a dead end.
I was thinking about different/hidden routes so i attempted a few general ones like /flag /ctf /tjctf /hidden /api to no avail. And then boom the idea came into my head which i should of tried slightly earlier and it is robot.txt and sitemap.xml. Upon hitting robots.txt we strike a gold mine, get it? It shows us a hidden route: Disallow: /gold-coffer, checking it gives us the last piece: g0ld}
And GG: tjctf{s1lv3r_and_g0ld}