Huntress CTF 2025 — OFA Write-up

Two factors? In this economy??!!

I just logged in using the credentials admin:admin, and then the website prompted me to input a 6-digit one time passcode.

After looking around, I noticed there was a cookie called session assigned to me.

The format looked a lot like JSON WEB TOKENS, so I pasted it into jwt.io, and I found the OTP.

After pasting the OTP in the prompt, I got the flag.