Statement: My website has been completely secured! !! No matter how good a hacker you are, you will not be able to hack my site!!!

TODO: Put the URL of the website.

I start by fuzzing the site with ffuf tool:

ffuf -w ~/fuzz-Bo0oM.txt -u

Thanks to the fuzzing, I know that there is a /admin directory.

So I inspect the source code of the /admin/index.html file and I notice a link to the main.js file.

Source code of main.js:

var pages = {
  home: "Welcome to my completely unhackable site. There are no flags here, so don't even bother trying to look for them lol.",
  about: "This site is 100% completely utterly unhackable, and anyone who says anything otherwise is an idiot who knows nothing about cybersecurity.",
  contact: "Do you want to get the flag? If you do, then contact me at"

function getContent(fragmentId, callback){

function loadContent(){
  var contentDiv = document.getElementById("app"),
      fragmentId = location.hash.substr(1);

  getContent(fragmentId, function (content) {
    contentDiv.innerHTML = content;

var thing = atob(atob(atob("VERKR2EySlhiSFZNTUVaTVUydFNWRk5yV2t4U1JrNUxWRVZHVkZKcE9YSmpNbmhyWVcxYWRtRlhSbXRqTWxsMVpFaG9NQT09"));

fetch(thing).then(function(response) {
  return response.text();
}).then(function(data) {
  pages["secret"] = data;

  if(!location.hash) {
    location.hash = "#home";

  window.addEventListener("hashchange", loadContent)

I notice that there is a variable containing a base64 encoding:

var thing = atob(atob("VERKR2EySlhiSFZNTUVaTVUydFNWRk5yV2t4U1JrNUxWRVZHVkZKcE9YSmpNbmhyWVcxYWRtRlhSbXRqTWxsMVpFaG9NQT09"));

Then I use the following command to decode multiple base64 encoding:

echo -n "VERKR2EySlhiSFZNTUVaTVUydFNWRk5yV2t4U1JrNUxWRVZHVkZKcE9YSmpNbmhyWVcxYWRtRlhSbXRqTWxsMVpFaG9NQT09" | base64 -d | base64 -d | base64 -d

I get back this value corresponding to a path : /admin/AKJDSJFKDSJLASF/ksldjfoiadsf.txt

Flag: pctf{Th3_W3bsite_w@s_UnL0cK3d}