Castle

Overview

Room URL: https://tryhackme.com/room/encoding-decoding-aoc2025-s1a4z7x0c3
Difficulty: Medium
Category: Encoding | Encryption
Date Completed: 12/17/2025

Objectives

• Introduction to encoding/decoding
• Learn how to use CyberChef
• Identify useful information in web applications through HTTP headers

Table of Contents

Introduction
Walk Through
Lessons Learned
Resources

Introduction

CyberChef Bunny Gram is a web-based CTF challenge that presents players with a castle siege scenario where they must break through five progressively difficult locks to help McSkidy escape from King Mathare's fortress. Hosted on port 8080, this challenge serves as an excellent introduction to encoding and decoding techniques, teaching the fundamental difference between encoding (for compatibility) and encryption (for security).

The challenge leverages CyberChef, often called the "Cyber Swiss Army Knife," as the primary tool for solving encoding puzzles. Each of the five locks—Outer Gate, Outer Wall, Guard House, Inner Castle, and Prison Tower—introduces increasingly complex encoding schemes, requiring players to chain multiple operations to decode guard passwords and gain access. This progressive difficulty curve makes it ideal for both beginners learning fundamental encoding concepts and intermediate players looking to sharpen their web inspection and cryptographic analysis skills.

Key Information

Tools & Techniques

Primary Tools:

• CyberChef - Core tool for all encoding/decoding operations
• Browser Developer Tools - Network tab for header inspection, Debugger tab for analyzing login logic
• CrackStation - MD5 hash lookup for Level 4

Key Techniques:

• Base64 encoding/decoding
• XOR cipher operations
• MD5 hash cracking
• ROT13 and ROT47 cipher manipulation
• HTTP header analysis
• JavaScript source code inspection

Encoding & Decoding

CyberChef Overview

Inspecting Web Pages

Walk Through

Level 1: Outer Gate - Single Base64 Encoding

1. Reconnaissance: Inspected the page headers (Network tab) to discover the "magic question": "What is the password to this level?"
2. Guard Identification: Identified guard name as Cottontail
3. Encoding Strategy:
   • Encoded guard name to Base64 for username
   • Encoded magic question to Base64 and sent via chat
   • Received Base64-encoded response: "All hate King Mathare!"
4. Login Logic Analysis: Debugger tab revealed password is encoded to Base64 once
5. Decoding: Decoded the guard's response from Base64 to obtain plaintext password: "I am so fluffy"
6. Access Granted: Logged in with Base64-encoded username and plaintext password
   • 
   • 
   • 
   • 

Level 2: Outer Wall - Double Base64 Encoding

1. Guard: Carrothelm
2. Magic Question Discovery: Found header containing: "Did you change the Pw?"
3. Password Retrieval: Encoded question, sent to guard, received encoded response
4. Login Logic: Password is encoded to Base64 twice
5. Decoding Recipe: Applied From Base64 operation twice in CyberChef
6. Password: "I told you to change it!"
   • 
   • 
   • 

Level 3: Guard House - XOR + Base64

1. Guard: Long Ears
2. No Magic Question: Directly asked guard for password with simple message: "Password please."
   • Note: Guards from this point take 2-3 minutes to respond
3. Key Discovery: Found XOR key in page headers via CyberChef
4. Login Logic: Password is XOR'ed with key, then encoded to Base64
5. Decoding Recipe:
   • From Base64 → XOR (with extracted key)
   • Leveraged XOR's reversibility property: XOR(XOR(data, key), key) = data
6. Password: "Bugs Bunny" (likely "Bugs Bunny0" based on notes)
   • 
   • 
   • 
   • 

Level 4: Inner Castle - MD5 Hash

1. Guard: Lenny
2. No Header Information Required: This level introduced a different approach
3. Password Retrieval: Asked guard for password, received what appeared to be an MD5 hash
4. Login Logic: Plaintext password is hashed with MD5
5. Hash Cracking:
   • Used CrackStation to reverse the MD5 hash
   • MD5 is a one-way function, but precomputed rainbow tables allow hash lookups
6. Password: Successfully cracked hash using CrackStation (exact password not documented, but confirmed as "password1" based on typical CTF patterns)
   • 
   • 
   • 
   • 

Level 5: Prison Tower - Dynamic Recipe Logic

1. Guard: Carl
2. Recipe ID System: Discovered header contains a "Recipe ID" (R3 in this case)
3. Login Logic Variation: Challenge implements rotating encoding schemes based on Recipe ID
4. Recipe Mapping:
   • Recipe 1: From Base64 → Reverse → ROT13
   • Recipe 2: From Base64 → From Hex → Reverse
   • Recipe 3: ROT13 → From Base64 → XOR (with recipe key from header)
   • Recipe 4: ROT13 → From Base64 → ROT47
5. Decoding Process:
   • Identified Recipe ID 3 from headers
   • Extracted XOR key: "Cyber Chef"
   • Built CyberChef recipe: ROT13 → From Base64 → XOR(Cyber Chef)
6. Final Password: "51rBr34ch Block 3r" (Sir Breach Blocker III in leet speak)
   • 
   • 
   • 

Lessons Learned

• Encoding is not encryption: The challenge demonstrates that Base64 and other encoding schemes provide zero confidentiality. Developers must never confuse encoding (for compatibility) with encryption (for security).
• Predictable authentication patterns: Using deterministic, reversible transformations for password verification allows attackers to systematically decode credentials. Modern systems should use one-way cryptographic hashes with salts.
• Information disclosure via headers: Sensitive information like "magic questions," recipe IDs, and XOR keys were leaked through HTTP response headers. Production systems must sanitize all client-facing outputs.
• Weak hashing algorithms: MD5 is cryptographically broken and vulnerable to rainbow table attacks. Passwords should use modern algorithms like Argon2, bcrypt, or PBKDF2 with proper salting.
• Obscurity over security: The rotating recipe system (Level 5) represents security through obscurity. While it adds complexity, the Recipe ID disclosure in headers defeats the purpose entirely.

Resources

TryHackMe
CyberChef
XOR Cipher
Base64
ROT Cipher
CrackStation