# How I Cracked Paasa's Secret Hiring Challenge

I was scrolling the internet doing absolutely nothing productive (classic) when someone dropped a link: [challenge.paisa.com](https://challenge.paasa.com). The page said:

> *"We're hiring developers. Find the three words hidden in the code to apply."*

An input field. A placeholder: `[xxxxx]-[xx]-[xxxx]`. No other instructions.

Okay. Say less.

![](https://cdn.hashnode.com/uploads/covers/67093bfb638dddf76481cbb9/17df99dd-4fe4-44d1-a017-e265092c3d4b.png align="center")

* * *

## Step 1: The HTML Comment (Word 1: `world`)

First move: `F12` Inspect Element. Always view source first, that's just developer law.

The HTML was clean. Almost suspiciously clean. But right at the top, sandwiched between two normal-looking comments, was this:

```html
<!-- build:a9c3e7f2d8b1 -->
<!-- 1:776f726c64 -->
<!-- deployed:2026-06-10T04:22:18Z -->
```

The `build:` and `deployed:` comments make total sense. But `1:776f726c64`? That's giving treasure map energy.

`776f726c64` is a hex string. Decoded: [Hex To ASCII](https://www.rapidtables.com/convert/number/hex-to-ascii.html)

```plaintext
77→w  6f→o  72→r  6c→l  64→d
```

**"world"**, 5 letters. Exactly matches `[xxxxx]`. And the `1:` prefix told me this was clue number one, with more coming.

* * *

![](https://cdn.hashnode.com/uploads/covers/67093bfb638dddf76481cbb9/87240ef5-0b02-4577-b467-01b3c92a2df3.png align="center")

* * *

## Step 2: The Config File (Word 2: `is`)

The JS file (`p.js`) had a fire-and-forget fetch that looked… unnecessary:

```js
fetch('./static/config.json').catch(function(){});
```

It fetches the config but does absolutely nothing with the result. No callback. No usage. Just vibes. That's sus.

I opened `config.json` and found this:

```json
"meta": {
    "sha": "a9c3e7f2d8b1",
    "seq": 2,
    "seed": "aXM=",
    ...
}
```

`"seq": 2` tells you it's clue #2. And `"seed": "aXM="` is Base64:

```plaintext
aXM= → 0x69 0x73 → 'i' 's'
```

**"is"**, 2 letters. Matches `[xx]`. Respectfully, hiding a 2-letter word in a Base64-encoded JSON field called `seed` is kind of diabolical (I respect it).

* * *

## Step 3: The Console Log (Word 3: `ours`)

Back in `p.js`, the `_boot()` function logs a bunch of fake system startup messages. Very aesthetic. All styled the same grey:

```js
var s = 'color:#bbb; font-size:11px;'; // light grey, every log uses this
var h = 'color:#555; font-size:11px;'; // darker, used exactly once
```

16 console logs. 15 use `s`. One uses `h`:

```js
console.log('%c[paasa] ours', h);
```

Not `s`. Not a technical message. Just **"ours"**. Styled differently so it stands out in the console if you're paying attention (I almost wasn't).

**"ours"**, 4 letters. Matches `[xxxx]`. Clue #3, hiding in plain sight.

![](https://cdn.hashnode.com/uploads/covers/67093bfb638dddf76481cbb9/48704d95-a53b-4853-983e-3c8d043b2514.png align="center")

* * *

## The Passphrase

Three encoding methods. Three files. Three words.

| # | File | Method | Word |
| --- | --- | --- | --- |
| 1 | `index.html` | Hex in HTML comment | `world` |
| 2 | `config.json` | Base64 in `seed` field | `is` |
| 3 | `p.js` | CSS styling anomaly in console.log | `ours` |

```plaintext
world-is-ours
```

Typed it in. Hit enter. It worked.

* * *

Is this the hardest CTF I've ever done? No. Was it genuinely clever and fun? Yeah actually. The three layers (hex, Base64, and a visual diff) each required a slightly different way of looking at the code. Not brute force. Just attention.

Which is probably exactly what they're hiring for.
