In this post, I will walk you through the HTTP — Directory indexing challenge from the Root Me Web Server category, classified as an easy level.

Click on the "Start the challenge" button to open the application which will show a blank page with no input fields, buttons, or links.

Challenge description is given as 'CTRL+U…' which is the shortcut key for 'view page source'. Pressing ctrl+u button reveals a commented line: as '<! — include("admin/pass.html") →'

Visiting the /admin/pass.html endpoint loads a page with a simple message, but displays no useful or sensitive data.

Viewing the source code on the new page doesn't provide further information either.

By removing pass.html from the URL and accessing just /admin/, we discover that directory listing/indexing is enabled. This exposes the contents of the admin folder directly in the browser, demonstrating the vulnerability reflected in the challenge's name.

The directory listing shows available files and subdirectories.

Within the backup folder, an admin.txt file is accessible.

By opening admin.txt, we retrieve the password value needed to solve the challenge.

Conclusion: Directory indexing occurs when a web server lists all files and directories if no index file exists. This behavior can unintentionally reveal sensitive data to attackers. Allowing unauthenticated users to see directory contents makes it easy to find backup files or credentials.

Thanks for reading..