Challenge Overview
This challenge involves finding a hidden token in a webpage's source code, decoding it using the ROT13 cipher, and using it to authenticate against an API endpoint to retrieve the flag.
Key concepts: ROT13 encoding, API authentication with custom headers
Step 1 – Inspect the Page Source
View the page source and look through the HTML for any hidden comments or metadata. You'll find a hidden token:
The token found is: q3i3y0c3e_g00y5
Step 2 – Decode the ROT13 Token
The token is ROT13 encoded. Decode it via rot13.com or in your terminal:
echo "q3i3y0c3e_g00y5" | tr 'A-Za-z' 'N-ZA-Mn-za-m'
Note: ROT13 only shifts letters — numbers and special characters stay unchanged.
q3i3y0c3e_g00y5 → d3v3l0p3r_t00l5
Step 3 – Authenticate Against the API
Pass the decoded token as a custom header to the API endpoint:
curl -H "x-secret-token: d3v3l0p3r_t00l5" http://x-ray-vision.aws.jerseyctf.com/api/status
Flag
jctf{r0t_y0ur_w4y_t0_4cc3ss}
Top comments (0)