How I Cracked Paasa's Secret Hiring Challenge

I was scrolling the internet doing absolutely nothing productive (classic) when someone dropped a link: challenge.paisa.com. The page said:
"We're hiring developers. Find the three words hidden in the code to apply."
An input field. A placeholder: [xxxxx]-[xx]-[xxxx]. No other instructions.
Okay. Say less.
Step 1: The HTML Comment (Word 1: world)
First move: F12 Inspect Element. Always view source first, that's just developer law.
The HTML was clean. Almost suspiciously clean. But right at the top, sandwiched between two normal-looking comments, was this:
<!-- build:a9c3e7f2d8b1 -->
<!-- 1:776f726c64 -->
<!-- deployed:2026-06-10T04:22:18Z -->
The build: and deployed: comments make total sense. But 1:776f726c64? That's giving treasure map energy.
776f726c64 is a hex string. Decoded: Hex To ASCII
77→w 6f→o 72→r 6c→l 64→d
"world", 5 letters. Exactly matches [xxxxx]. And the 1: prefix told me this was clue number one, with more coming.
Step 2: The Config File (Word 2: is)
The JS file (p.js) had a fire-and-forget fetch that looked… unnecessary:
fetch('./static/config.json').catch(function(){});
It fetches the config but does absolutely nothing with the result. No callback. No usage. Just vibes. That's sus.
I opened config.json and found this:
"meta": {
"sha": "a9c3e7f2d8b1",
"seq": 2,
"seed": "aXM=",
...
}
"seq": 2 tells you it's clue #2. And "seed": "aXM=" is Base64:
aXM= → 0x69 0x73 → 'i' 's'
"is", 2 letters. Matches [xx]. Respectfully, hiding a 2-letter word in a Base64-encoded JSON field called seed is kind of diabolical (I respect it).
Step 3: The Console Log (Word 3: ours)
Back in p.js, the _boot() function logs a bunch of fake system startup messages. Very aesthetic. All styled the same grey:
var s = 'color:#bbb; font-size:11px;'; // light grey, every log uses this
var h = 'color:#555; font-size:11px;'; // darker, used exactly once
16 console logs. 15 use s. One uses h:
console.log('%c[paasa] ours', h);
Not s. Not a technical message. Just "ours". Styled differently so it stands out in the console if you're paying attention (I almost wasn't).
"ours", 4 letters. Matches [xxxx]. Clue #3, hiding in plain sight.
The Passphrase
Three encoding methods. Three files. Three words.
| # | File | Method | Word |
|---|---|---|---|
| 1 | index.html |
Hex in HTML comment | world |
| 2 | config.json |
Base64 in seed field |
is |
| 3 | p.js |
CSS styling anomaly in console.log | ours |
world-is-ours
Typed it in. Hit enter. It worked.
Is this the hardest CTF I've ever done? No. Was it genuinely clever and fun? Yeah actually. The three layers (hex, Base64, and a visual diff) each required a slightly different way of looking at the code. Not brute force. Just attention.
Which is probably exactly what they're hiring for.



