Skip to content

ROT Cipher Endpoint Discovery – NahamCon CTF 2025: My First CTF

TL;DR

  • Minimal web app with no visible attack surface.
  • Challenge name hints at a ROT-1 Caesar cipher.
  • ROT applied to common endpoints reveals the flag path.
  • Flag retrieved directly from a rotated filename.

Description

On second thoughts I should have probably called this challenge "Nz Gjstu DUG"

Solution

We get through to a "rotten app" with no JS, links, cookies or anything for us to explore!

Website kanding page showing a bare Rotten-style app with no links or JavaScript

The challenge description provided a hint; Nz Gjstu DUG is My First CTF rotated by 1 (caeser cipher). We can try and ROT1 some endpoints, e.g. /admin, /flag and eventually find the correct one is /flag.txt

We try the endpoint /gmbh.uyu and receive the flag.

Flag: flag{b67779a5cfca7f1dd120a075a633afe9}