WHY CTF 2025: CTF Time
TL;DR
- Page is locked behind multiple client-side gates and looping popups.
- All restrictions are enforced via obfuscated JavaScript (paywall.min.js).
- Static analysis shows flag fragments embedded in the script.
- Using browser devtools and breakpoints reveals the decoded flag at runtime.
Description
Besides creating a CTF, we also created a newspaper website. Well we have one article at least. We made sure we followed all the latest trends and laws.
Recon
When we arrive to the site we have to agree to some cookies.
Then we need to enter our date of birth.
Then enter our email.
We'll arrive at the page, but very quickly all the annoying popups will return. It is a troll challenge!!
There's also an interesting chat button in the bottom right.
Solution
There's probably a lot of ways to disable the popups, which seem to be coming from the paywall.min.js file.
It's heavily obfuscated but we could try to reverse engineer it or step through with the debugger.
I hoped to skip the trouble by simply dropping requests for the file. You can do this manually, or setup a match and replace rule in burp suite. I opted to replace all instances of paywall.min.js with meow.
Remember to reload the page while clearing the cache (ctrl + f5). We no longer get most of the annoying popups, but date of birth is still there and is no longer functional. Dead end, so we can remove the rule.
Debugging
Time for a simpler approach, I use ctrl + F on the minified JS file.
It looks like our flag is split up across those lines with some obfuscation. We can search for line4 and setup a breakpoint.
When the debugger pauses, we switch to the console and print out the line variables.
line3 holds the flag!
Flag: flag{2d582cd42552e765d2658a14a0a25755}