CTFtime.org / NahamCon CTF 2025 / My Second CTF / Writeup

I guessed this challenge is similar to part 1 (ROT1) but we have a specific wordlist to use.

![](https://cryptocat.me/blog/ctf/2025/nahamcon/web/my_second_ctf/images/rotten-app-initial-page.png)

It says "one more step rotten", so I think we might need to ROT2 the wordlist. First, I'll just try ROT1. I give the wordlist to ChatGPT and let it do the work for me ?

![](https://cryptocat.me/blog/ctf/2025/nahamcon/web/my_second_ctf/images/rot1-wordlist-results.png)

We get nothing, so let's try ROT2.

![](https://cryptocat.me/blog/ctf/2025/nahamcon/web/my_second_ctf/images/rot2-wordlist-discovery.png)

We find the correct endpoint! However, if we follow the redirection, we are missing a parameter.

![](https://cryptocat.me/blog/ctf/2025/nahamcon/web/my_second_ctf/images/missing-parameter-redirect.png)

We'll repeat the process, this time fuzzing GET params with our rotated wordlist. Note, we need to set burp intruder to follow redirections, or they will all show 301.

![](https://cryptocat.me/blog/ctf/2025/nahamcon/web/my_second_ctf/images/burp-intruder-parameter-fuzzing.png)

We quickly obtain the flag!

Flag: `flag{9078bae810c524673a331aeb58fb0ebc}`

Original writeup (https://cryptocat.me/blog/ctf/2025/nahamcon/web/my_second_ctf/).

My Second CTF

Comments

Sign in with