Note

web web-client api client-side-logic information-disclosure hidden-endpoint devtools easy

A text-adventure game validates commands client-side, but the full command tree (including a 'secret' branch) is served by /api/options. Read the secret command from the API and type it into the game to print the flag.

Flag Command — hidden game option exposed by the API

Platform: HackTheBox · Category: Web (client-side) · Stack: Static JS game + small JSON API

Challenge overview

An interactive command game. The front-end JS only knows about the "normal" choices per step, but the server exposes the entire command tree — including a hidden secret branch — via an API the game calls:

curl http://target/api/options

{
  "allPossibleCommands": {
    "1": ["HEAD NORTH","HEAD WEST","HEAD EAST","HEAD SOUTH"],
    "2": ["GO DEEPER INTO THE FOREST","FOLLOW A MYSTERIOUS PATH", ...],
    "3": [ ... ],
    "4": ["ENTER A MAGICAL PORTAL", ...],
    "secret": ["Blip-blop, in a pickle with a hiccup! Shmiggity-shmack"]
  }
}

The validation of what you type is client-side only, and the secret command is just another option the server accepts. Type the secret string into the game prompt:

Blip-blop, in a pickle with a hiccup! Shmiggity-shmack
-> HTB{D3v3l0p3r_t00l5_4r3_b35t__t0015_wh4t_d0_y0u_Th1nk??}

Flag: HTB{D3v3l0p3r_t00l5_4r3_b35t__t0015_wh4t_d0_y0u_Th1nk??}

Takeaways (generalized techniques)

The API often ships more than the UI uses. When a SPA/game drives logic from a JSON endpoint, hit that endpoint directly — hidden states, admin flags, and "secret" branches are frequently present in the payload but never surfaced by the front-end.
Client-side "validation" isn't a gate. Anything the browser checks (allowed commands, button enable/disable) can be bypassed by replaying the raw request the server actually accepts.

Sources & references

Challenge source: hackthebox/web/flag_command