Skip to main content

Castle

Overview

Room URL: https://tryhackme.com/room/encoding-decoding-aoc2025-s1a4z7x0c3
Difficulty: Medium
Category: Encoding | Encryption
Date Completed: 12/17/2025

Objectives

  • Introduction to encoding/decoding
  • Learn how to use CyberChef
  • Identify useful information in web applications through HTTP headers

Table of Contents

Introduction
Walk Through
Lessons Learned
Resources

Introduction

CyberChef Bunny Gram is a web-based CTF challenge that presents players with a castle siege scenario where they must break through five progressively difficult locks to help McSkidy escape from King Mathare's fortress. Hosted on port 8080, this challenge serves as an excellent introduction to encoding and decoding techniques, teaching the fundamental difference between encoding (for compatibility) and encryption (for security).

The challenge leverages CyberChef, often called the "Cyber Swiss Army Knife," as the primary tool for solving encoding puzzles. Each of the five locks—Outer Gate, Outer Wall, Guard House, Inner Castle, and Prison Tower—introduces increasingly complex encoding schemes, requiring players to chain multiple operations to decode guard passwords and gain access. This progressive difficulty curve makes it ideal for both beginners learning fundamental encoding concepts and intermediate players looking to sharpen their web inspection and cryptographic analysis skills.

Key Information

Tools & Techniques

Primary Tools:

  • CyberChef - Core tool for all encoding/decoding operations
  • Browser Developer Tools - Network tab for header inspection, Debugger tab for analyzing login logic
  • CrackStation - MD5 hash lookup for Level 4

Key Techniques:

  • Base64 encoding/decoding
  • XOR cipher operations
  • MD5 hash cracking
  • ROT13 and ROT47 cipher manipulation
  • HTTP header analysis
  • JavaScript source code inspection

Encoding & Decoding

Encoding Encryption
Purpose Compatibility
Usability		 Security
Confidentiality
Process Standardized Algorithm + Key
Security No Yes
Speed Fast Slow
Examples Base64 TLS

CyberChef Overview

Area Description
Operations Repository of diverse CyberChef capabilities
Recipe Fine-tune and chain the operations area
Input Here you provide the input for your recipe
Output Here is the output of your recipe

Inspecting Web Pages

Browser Menu path
Chrome More tools > Developer tools
Firefox Menu (☰) > More tools > Web Developer Tools
Microsoft Edge Settings and more (...) > More tools > Developer tools
Opera Developer > Developer tools
Safari Develop > Show Web Inspector (Requires enabling the "Develop" menu in Preferences > Advanced)

Walk Through

Level 1: Outer Gate - Single Base64 Encoding

  1. Reconnaissance: Inspected the page headers (Network tab) to discover the "magic question": "What is the password to this level?"
  2. Guard Identification: Identified guard name as Cottontail
  3. Encoding Strategy:
    • Encoded guard name to Base64 for username
    • Encoded magic question to Base64 and sent via chat
    • Received Base64-encoded response: "All hate King Mathare!"
  4. Login Logic Analysis: Debugger tab revealed password is encoded to Base64 once
  5. Decoding: Decoded the guard's response from Base64 to obtain plaintext password: "I am so fluffy"
  6. Access Granted: Logged in with Base64-encoded username and plaintext password
    • Pasted image 20251217134542.png
    • Pasted image 20251217134805.png
    • Pasted image 20251217134939.png
    • Pasted image 20251217135259.png

Level 2: Outer Wall - Double Base64 Encoding

  1. Guard: Carrothelm
  2. Magic Question Discovery: Found header containing: "Did you change the Pw?"
  3. Password Retrieval: Encoded question, sent to guard, received encoded response
  4. Login Logic: Password is encoded to Base64 twice
  5. Decoding Recipe: Applied From Base64 operation twice in CyberChef
  6. Password: "I told you to change it!"
    • Pasted image 20251217135448.png
    • Pasted image 20251217135626.png
    • Pasted image 20251217135950.png

Level 3: Guard House - XOR + Base64

  1. Guard: Long Ears
  2. No Magic Question: Directly asked guard for password with simple message: "Password please."
    • Note: Guards from this point take 2-3 minutes to respond
  3. Key Discovery: Found XOR key in page headers via CyberChef
  4. Login Logic: Password is XOR'ed with key, then encoded to Base64
  5. Decoding Recipe:
    • From Base64XOR (with extracted key)
    • Leveraged XOR's reversibility property: XOR(XOR(data, key), key) = data
  6. Password: "Bugs Bunny" (likely "Bugs Bunny0" based on notes)
    • Pasted image 20251217140114.png
    • Pasted image 20251217140125.png
    • Pasted image 20251217141733.png
    • Pasted image 20251217141805.png

Level 4: Inner Castle - MD5 Hash

  1. Guard: Lenny
  2. No Header Information Required: This level introduced a different approach
  3. Password Retrieval: Asked guard for password, received what appeared to be an MD5 hash
  4. Login Logic: Plaintext password is hashed with MD5
  5. Hash Cracking:
    • Used CrackStation to reverse the MD5 hash
    • MD5 is a one-way function, but precomputed rainbow tables allow hash lookups
  6. Password: Successfully cracked hash using CrackStation (exact password not documented, but confirmed as "password1" based on typical CTF patterns)
    • Pasted image 20251217141954.png
    • Pasted image 20251217142347.png
    • Pasted image 20251217142404.png
    • Pasted image 20251217142444.png

Level 5: Prison Tower - Dynamic Recipe Logic

  1. Guard: Carl
  2. Recipe ID System: Discovered header contains a "Recipe ID" (R3 in this case)
  3. Login Logic Variation: Challenge implements rotating encoding schemes based on Recipe ID
  4. Recipe Mapping:
    • Recipe 1: From Base64ReverseROT13
    • Recipe 2: From Base64From HexReverse
    • Recipe 3: ROT13From Base64XOR (with recipe key from header)
    • Recipe 4: ROT13From Base64ROT47
  5. Decoding Process:
    • Identified Recipe ID 3 from headers
    • Extracted XOR key: "Cyber Chef"
    • Built CyberChef recipe: ROT13From Base64XOR(Cyber Chef)
  6. Final Password: "51rBr34ch Block 3r" (Sir Breach Blocker III in leet speak)
    • Pasted image 20251217142624.png
    • Pasted image 20251217142857.png
    • Pasted image 20251217143159.png

Lessons Learned

  • Encoding is not encryption: The challenge demonstrates that Base64 and other encoding schemes provide zero confidentiality. Developers must never confuse encoding (for compatibility) with encryption (for security).
  • Predictable authentication patterns: Using deterministic, reversible transformations for password verification allows attackers to systematically decode credentials. Modern systems should use one-way cryptographic hashes with salts.
  • Information disclosure via headers: Sensitive information like "magic questions," recipe IDs, and XOR keys were leaked through HTTP response headers. Production systems must sanitize all client-facing outputs.
  • Weak hashing algorithms: MD5 is cryptographically broken and vulnerable to rainbow table attacks. Passwords should use modern algorithms like Argon2, bcrypt, or PBKDF2 with proper salting.
  • Obscurity over security: The rotating recipe system (Level 5) represents security through obscurity. While it adds complexity, the Recipe ID disclosure in headers defeats the purpose entirely.

Resources

TryHackMe
CyberChef
XOR Cipher
Base64
ROT Cipher
CrackStation

Back to top