Writeups

HTH 2020 CTF: Reversing: Super Secret Login (100)

This is from the Hackers Teaching Hackers HTH2020 CTF.

I’m provided with a JAR file (super_secret_login.jar) and this challenge text:
All of our secrets are hidden behind a secure Java application. What could go wrong?

I open the JAR file with Java Decompiler (http://java-decompiler.github.io/)

Poking around I see that there is a shift by 13 characters (ROT13) for a decoded base64 string.

I see this value for PASSWORD: ZmJzZ19zeWhzc2xfeHZnZ3JhZg==
I base64 decode this and get this: fbsg_syhssl_xvggraf
I then treat it as a ROT13 cipher and decode it to get this: soft_fluffy_kittens

I see that the expected username is admin
I then run the jar file with java and provide admin:soft_fluffy_kittens for credentials
java -jar super_secret_login.jar

And I get the flag.