This is from the Shadow CTF.
I’m provided with a JAR file (super_secret_login.jar) and this challenge text:
All of our secrets are hidden behind a secure Java application. What could go wrong?
I open the JAR file with Java Decompiler (http://java-decompiler.github.io/)
Poking around I see that there is a shift by 13 characters (ROT13) for a decoded base64 string.
I see this value for PASSWORD: ZmJzZ19zeWhzc2xfeHZnZ3JhZg==
I base64 decode this and get this: fbsg_syhssl_xvggraf
I then treat it as a ROT13 cipher and decode it to get this: soft_fluffy_kittens
I see that the expected username is admin
I then run the jar file with java and provide admin:soft_fluffy_kittens for credentials
java -jar super_secret_login.jar
And I get the flag.