Skip to main content

Command Palette

Search for a command to run...

How I Cracked Paasa's Secret Hiring Challenge

Updated
3 min readView as Markdown
How I Cracked Paasa's Secret Hiring Challenge
S
I hate slow systems.

I was scrolling the internet doing absolutely nothing productive (classic) when someone dropped a link: challenge.paisa.com. The page said:

"We're hiring developers. Find the three words hidden in the code to apply."

An input field. A placeholder: [xxxxx]-[xx]-[xxxx]. No other instructions.

Okay. Say less.


Step 1: The HTML Comment (Word 1: world)

First move: F12 Inspect Element. Always view source first, that's just developer law.

The HTML was clean. Almost suspiciously clean. But right at the top, sandwiched between two normal-looking comments, was this:

<!-- build:a9c3e7f2d8b1 -->
<!-- 1:776f726c64 -->
<!-- deployed:2026-06-10T04:22:18Z -->

The build: and deployed: comments make total sense. But 1:776f726c64? That's giving treasure map energy.

776f726c64 is a hex string. Decoded: Hex To ASCII

77→w  6f→o  72→r  6c→l  64→d

"world", 5 letters. Exactly matches [xxxxx]. And the 1: prefix told me this was clue number one, with more coming.



Step 2: The Config File (Word 2: is)

The JS file (p.js) had a fire-and-forget fetch that looked… unnecessary:

fetch('./static/config.json').catch(function(){});

It fetches the config but does absolutely nothing with the result. No callback. No usage. Just vibes. That's sus.

I opened config.json and found this:

"meta": {
    "sha": "a9c3e7f2d8b1",
    "seq": 2,
    "seed": "aXM=",
    ...
}

"seq": 2 tells you it's clue #2. And "seed": "aXM=" is Base64:

aXM= → 0x69 0x73 → 'i' 's'

"is", 2 letters. Matches [xx]. Respectfully, hiding a 2-letter word in a Base64-encoded JSON field called seed is kind of diabolical (I respect it).


Step 3: The Console Log (Word 3: ours)

Back in p.js, the _boot() function logs a bunch of fake system startup messages. Very aesthetic. All styled the same grey:

var s = 'color:#bbb; font-size:11px;'; // light grey, every log uses this
var h = 'color:#555; font-size:11px;'; // darker, used exactly once

16 console logs. 15 use s. One uses h:

console.log('%c[paasa] ours', h);

Not s. Not a technical message. Just "ours". Styled differently so it stands out in the console if you're paying attention (I almost wasn't).

"ours", 4 letters. Matches [xxxx]. Clue #3, hiding in plain sight.


The Passphrase

Three encoding methods. Three files. Three words.

# File Method Word
1 index.html Hex in HTML comment world
2 config.json Base64 in seed field is
3 p.js CSS styling anomaly in console.log ours
world-is-ours

Typed it in. Hit enter. It worked.


Is this the hardest CTF I've ever done? No. Was it genuinely clever and fun? Yeah actually. The three layers (hex, Base64, and a visual diff) each required a slightly different way of looking at the code. Not brute force. Just attention.

Which is probably exactly what they're hiring for.