Skip to content

Chained ROT Path Enumeration from a Restricted Wordlist – NahamCon CTF 2025: My Third CTF

TL;DR

  • Wordlist-only content discovery with progressively worse ROT trick.
  • Single global ROT (1..13) fails; rotation varies per path segment.
  • Brute force all ROT shifts per word and build a chained multi-level path.
  • Final decoded path reveals the flag endpoint.

Description

This challenge requires some content discovery but only use the wordlist.txt file we've supplied to avoid wasting your time!

Solution

Since this is part 3, we'll probably need to ROT one more time (ROT3) now.

Initial attempt at content discovery using a single ROT iteration showing no valid endpoints

Didn't find anything, this challenge says "incrementally worse" so maybe we need to keep rotating? I tried every ROT up to and including ROT13, no luck.

Thinking about the hint again - maybe it means each word in the wordlist is rotated by a different value?

word1 -> ROT1
word2 -> ROT2
word3 -> ROT3
etc..

Unfortunately, this didn't work either! I didn't solve this one but it turns out you needed to try all iterations of ROT with each word, for each directory, e.g.

/qbhf # ROT1: page
/qbhf/oguucig # ROT2: message
/qbhf/oguucig/wrnhq # ROT3: token
/qbhf/oguucig/wrnhq/lewl # ROT4: hash

Visiting /qbhf/oguucig/wrnhq/lewl would recover the flag!

Flag: flag{afd87cae63c08a57db7770b4e52081d3}