search

🪷Girls in CTF 2025

Writeup for Girls in CTF 2025. This year, my team under the name Hacker Pencen managed to place 12th!

This writeup is all my solves (which is not much but it's all I can do given my condition at the time). Special shoutout to Sarah for being the hard carry fr ✨

hashtag
Category: Web

hashtag
Basic Login

Upon launching an instance, we can see that there is a column to input username. Input any username of your choice (mine is admin) and it will automatically generate the JWT token for you.

Upon successful token generation, there is a button to check/request for admin privileges. Clicking the button revealed that we indeed do not have the admin privileges.

The main goal is to perform JWT cracking by manipulating the token to gain admin privileges. With the help of chatgpt, I created a python script to help me uncover the password that is used to sign the JSON Web Token (JWT).

We found the password used to sign the token, but the role is still a user. I use jwt.io to rebuild the token and sign it used the obtained secret passphrase princess.

Replace the modified token to the column and you’ll obtain the flag.

hashtag
Nyan Nyan PDF Genereator

Upon launching an instance, we are directed to a webpage that generates a PDF upon input. The description hinted at secret so I assumed that the directory is as such.

Download and open the pdf file to get the flag

Flag: GCTF25{n07_a_9o0D_w@y_t0_geN3Ra73_PdF_nY@NN~_1c77db107556}

hashtag
Nyeow Nyeow PDF Generator

Create an instance to access the webpage.

The challenge desc hinted at /nyan-nyan, hence I tried that one. <path /nyan-nyan>

Download and open .pdf to obtain the flag.

Flag: GCTF25{NY4N_ny@n_5hou1d_noT_AI1#w_r3D1r3Ct_WIuu~_b06f05422318}

hashtag
Forensics

hashtag
NHAT 1

First log tells us about History-journal

SourceFile

SourceFileSha1

Reason

C:\Users\zach\AppData\Local\Google\Chrome\User Data\Default\History-journal

DA39A3EE5E6B4B0D3255BFEF95601890AFD80709

Deduped

Reading the history:

Flag: gctf{w4rm!ng_up_with_brow$3r_history}

hashtag
NHAT 2

From the shortcut. we can see the previous flag:

After few checks, there is one URL that stood out: https://github.com/ghostpack/sharpdpapiarrow-up-right

After few checks, there is another URL that stood out: https://github.com/ourokronii-hololive/sharpuparrow-up-right

We got some similar files:

hashtag
Reverse Engineering

hashtag
Invitation to Java

Decompiled the .jar file, the files given are:

  • Main.java — provides the encoded byte array and the key.

  • Validator.java — abstract class implementing a decode() that XORs every byte with the provided key and returns a UTF-8 string.

  • InviteValidator.java — concrete validator that checks whether the user input equals the decoded string.

  • Encoded bytes in Main:

The program uses a simple XOR cipher where each byte in the encoded array is XOR'd with the single-byte key 90. Because XOR is reversible and the key is present in Main, we can recover the original plaintext by XOR'ing each encoded byte with the same key.

Apply the same XOR operation to the byte array and decode as UTF-8.

In this case, I use a short Java snippet to XOR each byte with 90 to reveal the flag:

That's all! Yet another great CTF from the organizer, hope that I get to join the next one with a cleaner bill of health~

Last updated