This is a medium-rated room on TryHackMe for the 2026 Valentine’s Day CTF Challenge.
Press enter or click to view image in full size
We are given a website to look at and an initial hint that goes
Since our hint points towards vibe-coding, we should expect some functionality of the site to be vulnerable since AI is notorious for not taking security into consideration when generating sites.
After checking the landing page source code we find nothing of significance so we head over to creating an account. This gives us an idea of how the app is intended to work. If you look around at the profiles that we are given we notice that each user has a characteristic message.
Cupid in particular seems to be pointing us in a certain direction. If you check the source code for this profile we notice some odd comments from the devs.
<script>
// Initial load
document.addEventListener("DOMContentLoaded", function() {
loadTheme('theme_classic.html');
}); function loadTheme(layoutName) {
// Feature: Dynamic Layout Fetching
// Vulnerability: 'layout'…