CTFtime.org / NahamCon CTF 2025 / My Second CTF / Writeup

I guessed this challenge is similar to part 1 (ROT1) but we have a specific wordlist to use.

![](https://raw.githubusercontent.com/Crypto-Cat/ctf-writeups/refs/heads/main/2025/nahamcon_25/web/my_second_ctf/images/0.PNG)

It says "one more step rotten", so I think we might need to ROT2 the wordlist. First, I'll just try ROT1. I give the wordlist to ChatGPT and let it do the work for me ?

![](https://raw.githubusercontent.com/Crypto-Cat/ctf-writeups/refs/heads/main/2025/nahamcon_25/web/my_second_ctf/images/1.PNG)

We get nothing, so let's try ROT2.

![](https://raw.githubusercontent.com/Crypto-Cat/ctf-writeups/refs/heads/main/2025/nahamcon_25/web/my_second_ctf/images/2.PNG)

We find the correct endpoint! However, if we follow the redirection, we are missing a parameter.

![](https://raw.githubusercontent.com/Crypto-Cat/ctf-writeups/refs/heads/main/2025/nahamcon_25/web/my_second_ctf/images/3.PNG)

We'll repeat the process, this time fuzzing GET params with our rotated wordlist. Note, we need to set burp intruder to follow redirections, or they will all show 301.

![](https://raw.githubusercontent.com/Crypto-Cat/ctf-writeups/refs/heads/main/2025/nahamcon_25/web/my_second_ctf/images/4.PNG)

We quickly obtain the flag!

Flag: `flag{9078bae810c524673a331aeb58fb0ebc}`

Original writeup (https://book.cryptocat.me/ctf-writeups/2025/nahamcon/web/my_second_ctf).

My Second CTF

Comments

Sign in with