To illustrate how a penetration tester can take advantage of robots.txt, we will use vicnum, a vulnerable web application in vm_1, which contains three number and word guessing games. We will use information obtained through robots.txt to increase our chances of winning those games:

1. Browse to http://192.168.56.11/vicnum/.
2. Now, we add robots.txt to the URL and we will see the following:

This file tells search engines that the indexing of the directories jotto and cgi-bin is not allowed for every browser (User-agent). However, this doesn't mean that we cannot browse them.

3. Let's browse to http://192.168.56.11/vicnum/cgi-bin/:

We can click and navigate directly to any of the Perl scripts (.pl files) in this directory.

4. Let's browse to http://192.168.56.11/vicnum/jotto/.
5. Click on the file named jotto. You will see something similar to the
   following screenshot:

jotto is a game about guessing five-character words; could this be the list of possible answers? Play the game using words in that list as answers. We have already hacked the game: