CyberChef - Hoperation Save McSkidy
This guide contains the answer and steps necessary to get to them for the CyberChef - Hoperation Save McSkidy room.
Table of contents
- First Lock - Outer Gate
- Second Lock - Outer Wall
- Third Lock - Guard House
- Fourth Lock - Inner Castle
- Fifth Lock - Prison Tower
First Lock - Outer Gate
-
What is the password for the first lock?
First thing to note is the guard name. This is displayed in the chat “Cottontail”. This name encoded to base64 will be our username.
Now looking at the network traffic after opening the developer tools and refreshing the page we can see a question. If we encode this to base64 as well and put it in the chat, we are given the password which is base64 encoded.
Decoding this message gives us another partially encoded message with the password.
Click for answer
Iamsofluffy
Second Lock - Outer Wall
-
What is the password for the second lock?
Now we can login at the first lock with:
Username:
Q290dG9uVGFpbA==Password:Iamsofluffy
For the second lock, we see the guards name in the chat: 'CarrotHelm' which encoded to base64 is 'Q2Fycm90SGVsbQ=='.
Now look in the network tab to find the magic question.
Base64 encode this and send it in the chat. We will receive an encoded reply.
Looking at the level login logic, we can see that the password is twice encoded to bas64.
Decoding it twice from base64 in CyberChef will give us our second password.
Click for answer
Itoldyoutochangeit!
Third Lock - Guard House
-
What is the password for the third lock?
Now we can login at the second lock with:
Username:
Q2Fycm90SGVsbQ==Password:Itoldyoutochangeit!
For the third lock, we see the guards name in the chat: 'LongEars' which encoded to base64 is 'TG9uZ0VhcnM='.
This time there is no magic question and we have to ask the guard for the password. We can use 'Password please' encoded to Base64.
From the level login logic, we can now see that the password is XOR encoded first and then encoded to base64. We need to reverse this to get the plaintext password.
We can also see the used key, which is 'cyberchef'.
In Cyber using the from base64 recipe together with the key and a chained XOR recipe should give us the password.
Click for answer
BugsBunny
Fourth Lock - Inner Castle
-
What is the password for the fourth lock?
Now we can login at the third lock with:
Username:
TG9uZ0VhcnM=Password:BugsBunny
For the fourth lock, we see the guards name in the chat: 'Lenny' which encoded to base64 is 'TGVubnk='.
Again, we ask the guard for the password encoded to Base64. Decoding its reply, doesn't realy look like Base64. The level login logic tells us why.
It seems to be hashed using md5. This cannot be reversed using CyberChef. But if it is a common word, it can be looked up using a tool such as 'Crackstation'.
Click for answer
passw0rd1
Fifth Lock - Prison Tower
-
What is the password for the fifth lock?
Now we can login at the fourth lock with:
Username:
TGVubnk=Password:passw0rd1
For the fifth lock, we see the guards name in the chat: 'Carl' which encoded to base64 is 'Q2FybA=='.
Again, we ask the guard for the password encoded to Base64. Decoding its reply, doesn't realy look like only Base64 either. The level login logic reveals us what has been done.
This time there are multiple options depending on the 'recipeID' variabel. In the network tab, we can see what this value is: "R3".
This means we should look at the option where:
case "R3".We see it is first encoded using XOR with key 'cyberchef'. Then it is encoded to Base64 and finally encoded using a ROT13 cypher. We need to reverse these steps using CyberChef.
Click for answer
51rBr34chBl0ck3r -
What is the retrieved flag?
Now we can login at the fifth lock with:
Username:
Q2FybA==Password:51rBr34chBl0ck3r
After breaching all these gates, we are given our flag.
Click for answer
THM{M3D13V4L_D3C0D3R_4D3P7}