Skip to content

ROT-Based Content Discovery with Wordlist Fuzzing – NahamCon CTF 2025: My Second CTF

TL;DR

  • Challenge restricts discovery to a supplied wordlist.
  • Hint implies extending the ROT concept from the previous challenge.
  • ROT2 applied to the wordlist reveals a hidden endpoint.
  • Further ROT-based fuzzing of GET parameters exposes the flag.

Description

This challenge requires some content discovery but only use the wordlist.txt file we've supplied to avoid wasting your time!

Solution

I guessed this challenge is similar to part 1 (ROT1) but we have a specific wordlist to use.

My Second CTF landing page showing a Rotten-style interface with a hint about content discovery

It says "one more step rotten", so I think we might need to ROT2 the wordlist. First, I'll just try ROT1. I give the wordlist to ChatGPT and let it do the work for me 😌

ROT1 applied to the supplied wordlist showing no valid endpoints

We get nothing, so let's try ROT2.

ROT2 wordlist revealing the correct hidden endpoint

We find the correct endpoint! However, if we follow the redirection, we are missing a parameter.

Application redirect indicating a required missing GET parameter

We'll repeat the process, this time fuzzing GET params with our rotated wordlist. Note, we need to set burp intruder to follow redirections, or they will all show 301.

Burp Intruder fuzzing rotated parameters with redirects enabled to recover the flag

We quickly obtain the flag!

Flag: flag{9078bae810c524673a331aeb58fb0ebc}