Find My Girlfriend — TryHackMe Writeup

Platform: TryHackMe Room: Find My Girlfriend

~7 min read · April 25, 2026 (Updated: April 25, 2026) · Free: Yes

Room Creator: Falilurahman Category: OSINT / Steganography / Web Difficulty: Easy Author: yk

"She was never hidden. Only overlooked."

Alright let me tell you about this room — because it wasn't just a CTF, it felt like actually following a trail. Every step connected to the next one and by the end I was genuinely having fun. This is one of those rooms where the challenge design is just clean. Let me walk you through exactly how my brain worked through it.

What We're Given

So the room hands you a Base64 encoded string right at the start:

aHR0cHM6Ly9naXRodWIuY29tL0ZhbGlsdXJhaG1hbi9GaW5kLW15LWdpcmxmcmllbmQt

And honestly? The moment I see a random string like that, my brain immediately goes — that's Base64. The character set, the length, the padding — it just has that signature look. No second-guessing needed here. Let's decode it.

Step 1 — First Decode: The Starting String

echo "aHR0cHM6Ly9naXRodWIuY29tL0ZhbGlsdXJhaG1hbi9GaW5kLW15LWdpcmxmcmllbmQt" | base64 -d

Output:

https://github.com/Falilurahman/Find-my-girlfriend-

A GitHub link. Okay so we're doing OSINT. Got it. Let's head over there and see what's waiting.

Step 2 — The GitHub Repo

I land on the GitHub repo and start poking around. And sitting right there in the repo — another Base64 encoded string, but this time it's way longer. Way longer. The kind of length that tells you this isn't just text.

My brain: "This is image data. Has to be."

When Base64 encoded data is that long, it's almost always a binary file — image, audio, something like that. So I saved the encoded string to a file called imagedata.txt and decoded it:

base64 -d imagedata.txt > image.jpg

And yep — out comes an image of a girl. Same face as the room's cover icon actually.

Step 3 — Steganography (Yeah, Obviously)

Okay so here's where my brain kicked into gear immediately. It's an image. It's a CTF. In CTFs, images almost always have something hidden inside them — that's just how it goes. Steganography. No doubt in my mind.

My first move was steghide — the go-to tool for this:

steghide extract -sf image.png

And then… it asks for a passphrase.

Hmm.

Okay, that's fine. Let me go find it. I went back to the GitHub repo — nothing. Checked the room description again, read every word — nothing obvious. Pulled the image metadata with exiftool looking for any hint hiding there — still nothing.

At this point I'm sitting there thinking "am I missing something? Did I skip a step somewhere?" I went through everything again. Room details, GitHub, the image itself. I genuinely couldn't find a passphrase anywhere.

So I thought — okay, let me try brute forcing the passphrase. That was my next move. But before I went full stegseek on it, something told me to just try one of those online steghide extractor tools first. Sometimes these rooms are set up with an empty passphrase or a very simple one.

Tried it on the website — no passphrase entered — and it just… worked.

The hidden data extracted right out. No passphrase needed at all. And what came out was binary text.

Step 4 — Binary to Text

A wall of 0s and 1s. Classic. Threw it into a binary-to-text decoder and got:

https://reddit.com/user/find_mygirlfriend

A Reddit username.

Step 5 — Following the Reddit Lead

Went straight to Reddit, found the user find_mygirlfriend. Scrolled through the profile — no posts, no comments. A completely silent account. But there was something useful: a portfolio website linked in the profile.

https://findmygirlfriend.xo.je/

Interesting. Time to dig in.

Step 6 — Reading the Hints, Checking robots.txt… and humans.txt

Now one of the hints in the room said: "She hides where bots are not allowed."

My first thought — robots.txt. That's the standard place bots are told to stay out of. So I checked:

https://findmygirlfriend.xo.je/robots.txt

It existed, but there wasn't anything special hiding there. just "She hides where bots are not allowed." text

I sat with it for a second. "She hides where bots are not allowed" — okay but robots.txt was basically empty. So where else do bots not go?

And then it clicked — humans.txt.

It's a lesser-known file, kind of the flip side of robots.txt. While robots.txt talks to bots, humans.txt is meant for humans — it's a file some devs include with info about who built the site. Bots don't care about it. Humans do. That fits the hint perfectly.

https://findmygirlfriend.xo.je/humans.txt

I started reading through it. And I'm going through it once, twice — and then this line catches my eye:

"She was never hidden. Only overlooked." "#Some characters are quieter than others."

That second line stopped me. "Some characters are quieter than others."

I stared at it. What does that even mean? Quieter characters? Then it hit me some steganography technique where invisible characters? Something like zero-width spaces, zero-width joiners, zero-width non-joiners — are embedded inside normal text. You can't see them. They make no visual difference. But they're there, carrying hidden data.

The clue was telling me exactly what was going on. I just had to catch it.

Step 7 — Zero-Width Character Steganography

I did a quick search just to confirm what I was thinking and yeah — this was definitely it. Zero-width character steganography. Hidden data sitting invisibly inside regular-looking text.

I copied the suspicious text from humans.txt and pasted it into an online zero-width character extractor tool.

And out came hidden text — including the flag. 🎉

But there was also something else extracted alongside the flag — a hint:

#Some secrets travel with every request

Interesting. We're not done yet.

Step 8 — HTTP Headers and the Final Flag

The room hint also said: "Try interacting with the site through the browser console using the key you discovered."

Key? What key? I looked at everything I had. The zero-width extraction gave me that line — "Some secrets travel with every request." Secrets that travel with every request — that's HTTP headers. Every time your browser loads a page, it sends and receives headers. That's where secrets would travel.

I opened DevTools → Network tab, refreshed the page, and started inspecting the request/response headers.

And there they were — two custom headers that had no business being there:

x-conversation-key: c2FyYQ==
x-whisper: U29tZXRpbWVzIHRoZSBhbnN3ZXIgd2FpdHMgd2hlcmUgZXJyb3JzIGFwcGVhci4=

That == at the end of both? That's Base64 padding. Instantly recognizable at this point in the challenge.

Decoded them both:

c2FyYQ==
→ sara
U29tZXRpbWVzIHRoZSBhbnN3ZXIgd2FpdHMgd2hlcmUgZXJyb3JzIGFwcGVhci4=
→ Sometimes the answer waits where errors appear.

"The answer waits where errors appear." Errors appear in the browser console. And the key is sara.

So I opened the console, typed in sara, hit enter —

🚩 Final flag. Done.

Final Thoughts

What I love about this room is that it never felt like a random collection of puzzles. Every step had a reason. The clues were actually clues — not just "run this tool and get the answer." The zero-width character thing especially — that line "Some characters are quieter than others" was sitting right there in the file and it's exactly the kind of thing you'd read past without catching if you're not paying attention.

The part where I was stuck on the steghide passphrase was real — I genuinely went back through everything trying to figure out if I'd missed something. Turns out the passphrase just wasn't needed, but that uncertainty, that second-guessing yourself? That's part of the process. You learn to trust your instincts and keep pushing.

Massive respect to Falilurahman for building this. The room tells a story and makes you earn every step. That's exactly what a good CTF should feel like. 🔥

If you took a different path or found something I missed, I'd genuinely love to know — drop it in the comments.

— yk

#hacking #tryhackme-walkthrough #tryhackme #cybersecurity #ctf-writeup

< Go to the original