Access the room: https://tryhackme.com/room/encoding-decoding-aoc2025-s1a4z7x0c3
.png)
McSkidy is imprisoned in King Malhare’s Quantum Warren. Sir BreachBlocker III was put in charge of securing the fortress and implemented several access controls to prevent any escape. His defenses are worthy of his name.
However, McSkidy managed to send vital clues to his team using harmless bunny pictures. One message revealed that five locks needed to be disabled to secure an escape route. The locks can be broken by examining their logic and leveraging the system’s built-in chat for the guards. They can be eluded in revealing vital details or even passwords. However, you will need to speak their language.
Learning Objectives
- Introduction to encoding/decoding
- Learn how to use CyberChef
- Identify useful information in web applications through HTTP headers
What is CyberChef?
CyberChef is a powerful, browser-based tool developed by GCHQ for data manipulation, widely used in digital forensics, incident response, and CTF challenges. It provides an intuitive interface for encoding, decoding, encrypting, decrypting, compressing, analyzing, and converting data in various formats. CyberChef’s strength lies in its extensive library of operations, making it the “Swiss Army Knife” for handling complex encoding and decoding tasks efficiently.
What is Encoding and Decoding?
Encoding is the process of transforming data into a specific format for safe transmission or storage, such as Base64, Hex, or ASCII. Decoding reverses this process, restoring the data to its original form. Common use cases include:
- Obfuscating data in malware or CTFs.
- Converting binary files for transmission via text-only protocols.
- Reversing encoded strings to reveal hidden information.
Common Encoding Types
CyberChef supports dozens of encoding schemes. Some of the most common include:
- Base64: Converts binary data to ASCII using a 64-character set. Widely used in email and web protocols.
- Hex (Base16): Represents binary data as hexadecimal digits. Common in memory dumps and forensic analysis.
- ASCII: Encodes text as bytes using the ASCII standard.
- URL Encoding: Escapes special characters in URLs.
- ROT13/Caesar Cipher: Simple substitution ciphers for basic obfuscation.
How CyberChef Works
- Operations Panel: A list of available encoding, decoding, encryption, and analysis functions. Drag-and-drop operations into your recipe.
- Magic Operation: Automatically detects encoding types using pattern matching, entropy analysis, and byte frequency comparison. It can recursively unwrap multiple layers of encoding, making it ideal for unknown or obfuscated data.
- Chain Operations: Combine multiple operations in sequence (e.g., Base64 decode → Hex decode → ROT13 decode) to reverse complex encoding chains.
- Output Pane: Displays the result after each operation. The Magic icon suggests possible decoding steps if automatic detection is enabled.
Typical CyberChef Workflow
- Paste encoded data into the Input pane.
- Use the Magic operation or manually select likely encoding/decoding operations.
- Review the Output pane for decoded text or further encoded segments.
- If necessary, chain additional operations to fully decode the data.
- Analyze the decoded output for flags, secrets, or forensic artifacts.
Use Cases
- CTF Challenges: Decoding flags from obfuscated strings.
- Malware Analysis: Unpacking and analyzing encoded payloads.
- Forensic Investigations: Extracting information from encoded logs, configuration files, or network captures.
CyberChef’s flexibility, combined with its vast library of operations, makes it an essential tool for anyone working with encoded data, from beginners to advanced analysts.
Step by Step Walkthrough
Initial Setup
Start the target machine and the AttackBox as instructed to access the lab environment. Give it a few minutes to boot up, and then, from the AttackBox, you can access the web app at http://MACHINE_IP:8080.
Here in this walkthrough, we have to break all of the five locks — Outer Gate, Outer Wall, Guard House, Inner Castle, Prison Tower.
Key Information
McSkidy revealed some vital clues in his message. You will have to leverage any useful piece of information in order to break the locks.
Below are key points to look out for:
- Chat is Base64 encoded. Try decoding this in CyberChef. This will be leveraged to extract useful information from the guards. Be aware that from Lock 3 onwards, the guards will take a longer time to respond.
- Guard name. This logic will persist throughout the levels. Make sure to note down the guard’s name for each level.
- Headers. Again, inspecting the page but switching to the ‘Network’ tab this time. Make sure to refresh the page once after switching to this tab and select the first response.
- Login Logic. You will inspect the page and switch to the ‘Debugger’ tab. Match the lock with the respective logic. You can also find helpful comments that explain what you need to cook in CyberChef.
Breaking the First Lock — Outer Gate
First, identify the guard's name and encode it to Base64. we will use this as the username input.
Guard Name: CottonTail
Base64 Encode: Q290dG9uVGFpbA==
Now let's search for some information by checking the page headers in inspect mode.
Note: Be sure to refresh the page after opening the Network tab.
Here we’ve found our first magic question, so let’s ask it to the guard, before asking the question, be sure to encode the magic question in base64.
Magic Question: What is the password for this level?
Base64 Encode: V2hhdCBpcyB0aGUgcGFzc3dvcmQgZm9yIHRoaXMgbGV2ZWw/
So now lets ask the question:
The guard has responded something lets decode it:
Guard Response: SGVyZSBpcyB0aGUgcGFzc3dvcmQ6IFNXRnRjMjltYkhWbVpuaz0=
Base64 Decode: Here is the password: SWFtc29mbHVmZnk=
Let's try this password:
It looks like we entered the wrong password, so let’s try decoding the base64 string SWFtc29mbHVmZnk=:
Base64 decode: Iamsofluffy
Now let's try this password:
Hurray, we did it! We broke through the first gate, now let’s move on to the second one.
Breaking the Second Lock — Outer Wall
First, identify the guard’s name and encode it to Base64. we will use this as the username input.
Guard Name: CarrotHelm
Base64 Encode: Q2Fycm90SGVsbQ==
Now let’s search for some information by checking the page headers in inspect mode:
Here we’ve found our second magic question, so let’s ask it to the guard but before asking the question, be sure to encode the magic question in base64.
Magic Question: Did you change the password?
Base64 Encode: RGlkIHlvdSBjaGFuZ2UgdGhlIHBhc3N3b3JkPw==
So now let's ask the question:
The guard has responded something lets decode it:
Guard Response: SGVyZSBpcyB0aGUgcGFzc3dvcmQ6IFUxaFNkbUpIVWpWaU0xWXdZakpPYjFsWE5XNWFWMnd3U1ZFOVBRPT0=
Base64 Decode: Here is the password: U1hSdmJHUjViM1YwYjJOb1lXNW5aV2wwSVE9PQ==
Let's Decode the b64 string again:
String: U1hSdmJHUjViM1YwYjJOb1lXNW5aV2wwSVE9PQ==
B64 Encode: SXRvbGR5b3V0b2NoYW5nZWl0IQ==
Let’s Decode the b64 string again: SXRvbGR5b3V0b2NoYW5nZWl0IQ==
B64 Encode: Itoldyoutochangeit!
Now let's try this password:
Hurray, we did it again! We broke through the second lock, now let’s move on to the third one.
Breaking Third Lock — Guard House
Let's identify the guard’s name and encode it to Base64. we will use this as the username input.
Guard Name: LongEars
Base64 Encode: TG9uZ0VhcnM=
Now let’s search for some information by checking the page headers in inspect mode:
But now here we don't have any questions, now let's look at the app.js file from the sources (debugger):
It seems like we have to decode a Base64 string to XOR using the given recipe key given at header: cyberchef
So now let's ask the guard for the password:
Our question: Password Please?
Base 64 Encode: UGFzc3dvcmQgUGxlYXNlPw==
So now let’s ask the question:
The guard has responded something lets decode it:
Guard Response: SGVyZSBpcyB0aGUgcGFzc3dvcmQ6IElRd0ZGakFXQmdzZg==
Base64 Decode: Here is the password: IQwFFjAWBgsf
Let’s Decode the password string into XOR using the recipe key:
String: IQwFFjAWBgsf
Recipe Key: cyberchef
Encoded String: BugsBunny
Let’s give this a try for our password:
Hurray, we did it again! We broke through the third lock, now let’s move on to the fourth one.
Breaking Fourth Lock — Inner Castle
Let’s identify the guard’s name and encode it to Base64. we will use this as the username input.
Guard Name: Lenny
Base64 Encode: TGVubnk=
Now let’s search for some information by checking the page headers in inspect mode:
But now here we don’t have anything useful, now let’s look at the app.js file from the sources (debugger):
Looks like we’ll need to use MD5 hash decoding to figure out our password.
So now let’s ask the guard for the password:
Our question: Password Please?
Base 64 Encode: UGFzc3dvcmQgUGxlYXNlPw==
So now let’s ask the question:
The guard has responded something lets decode it:
Guard Response: SGVyZSBpcyB0aGUgcGFzc3dvcmQ6IGI0YzBiZTdkN2U5N2FiNzRjMTMwOTFiNzY4MjVjZjM5
Base64 Decode: Here is the password: b4c0be7d7e97ab74c13091b76825cf39
Let’s Decode the password string using MD5 Hash using crackstation:
String: b4c0be7d7e97ab74c13091b76825cf39
MD5 Decode: passw0rd1
Let’s give this a try for our password:
Hurray, we did it! We broke through the fourth lock, now let’s move on to the last one.
Breaking Fifth Lock — Prison Tower
As usual let’s identify the guard’s name and encode it to Base64. we will use this as the username input.
Guard Name: Carl
Base64 Encode: Q2FybA==
Now let’s search for some information by checking the page headers in inspect mode:
Here we found a X-Recipe ID: R2 and X-Recipe-Key: cyberchef, now let’s look at the app.js file from the sources (debugger):
It looks like we have multiple cases to decode the password, and for us, the case is R2.
So now let’s ask the guard for the password:
Our question: Password Please?
Base 64 Encode: UGFzc3dvcmQgUGxlYXNlPw==
So now let’s ask the question:
The guard has responded something lets decode it:
Guard Response: SGVyZSBpcyB0aGUgcGFzc3dvcmQ6IE56SXpNelppTmpNek1EWmpOREkyT0RZek16UXpNemN5TkRJM01qTXhNelU9
Base64 Decode: Here is the password: NzIzMzZiNjMzMDZjNDI2ODYzMzQzMzcyNDI3MjMxMzU=
Let’s Decode the password string using:
From Base64 => From Hex => Reverse
String: NzIzMzZiNjMzMDZjNDI2ODYzMzQzMzcyNDI3MjMxMzU=
Encoded String: 51rBr34chBl0ck3r
Let’s give this a try for our password:
We did it! We managed to break all five locks!
Here is our Flag!
THM{M3D13V4L_D3C0D3R_4D3P7}
Answers of the THM Lab
What is the password for the first lock?
Iamsofluffy.
— — — — — — — — — — — — — — — — — —
What is the password for the second lock?
Itoldyoutochangeit!.
— — — — — — — — — — — — — — — — —
What is the password for the third lock?
BugsBunny.
— — — — — — — — — — — — — — — — — —
What is the password for the fourth lock?
passw0rd1.
— — — — — — — — — — — — — — — — — —
What is the password for the fifth lock?
51rBr34chBl0ck3r.
— — — — — — — — — — — — — — — — — — —
What is the retrieved flag?
THM{M3D13V4L_D3C0D3R_4D3P7}