LabyREnth CTF 2017: Threat 3

We were given the url to begin with. Visting this site reveal an awful site which somewhat represents the dark age of geocities. Obviously, the first instinct was to inspect the HTML source code, which contains several GIFs and a comment containing some kind of hex string.

<!DOCTYPE html>
body { background-image: url("starry.gif");}
<img src="under_constructionA.gif"><br>
<font color="yellow">
<center><marquee><h1>Can you find me?</h1></marquee>
<img src="flamingline.gif">
<img src="labyrinth.gif">
<img src="getie.gif">
<font size="2">
<p align="right">copyright s. williams
<!-- 642C740D0C297E3A5E1B4D6A70346C24175D56485F7F2B3C0E1F1C6D716F3C2013095B405B2C2F385D491C62763930231A560E13507879390B414E36216B327C1A065E42022C2032 -->

Inspection of the GIF images concluded that they were benign. Running a WHOIS on the domain revealed several interesting registrant details.

Registry Domain ID: D425500000003684894-AGRS
Registrar WHOIS Server:
Registrar URL:
Updated Date: 2017-05-01T15:59:56Z
Creation Date: 2017-05-01T15:48:59Z
Registry Expiry Date: 2018-05-01T15:48:59Z
Registrar Registration Expiration Date:
Registrar: Gandi SAS
Registrar IANA ID: 81
Registrar Abuse Contact Email:
Registrar Abuse Contact Phone:
Domain Status: clientTransferProhibited
Domain Status: serverTransferProhibited
Registry Registrant ID: C17578851-AGRS
Registrant Name: Sarah Williams
Registrant Organization:
Registrant Street: 285 Lafayette Street
Registrant City: New York
Registrant State/Province: NY
Registrant Postal Code: 10012
Registrant Country: US
Registrant Phone: +1.4048675309
Registrant Phone Ext:
Registrant Fax:
Registrant Fax Ext:
Registrant Email:

It appears that the domain was registered under the person called Sarah Williams, with the email Googling the above email resulted with a Github URI, which contains a list of Facebook account dump.!mvcz - 1994RhondaEvaamong - positiveHerminia1993Dorian!c54nnvzneaylgu2id - 1990FaithCeciliaprogram - TheSarahWilliams1986M!tcugc21h-q47x6 - Nadine2001Earlperform - CamilleJeremybecome1996 - IanavailableMegan2009 - LuannAdelanation1989

The dump appears to be a facebook password dump, however it turns out to be just the profile username. Visitng resulted in tons of base64 encoded posts.

From Sarah’s facebook profile overview, we were able to identify her twitter account ( which indirectly revealed her linkedin account ( within one of her twitter post.

Sarah’s experience description within linkedin was embedded with several links, one of which points to her stackexchange profile (

It appears that Sarah had ask a question on stackoverflow.

Sarah posted the entire encryption code on stackoverflow and asking the community why it couldn’t run properly.

The code can be easily fixed with proper type casting and indentation. Analysis of the code shows that it’s a XOR encryption algorithm which takes in 8 bytes key and encrypts a plaintext string.

If the plaintext string % 8 != 0, the algorithm appends @ at the back of the plaintext.

It turns out that it’s a rather simple algorithm, byte[i] ^ key[i] until the length of 8. for the next byte[7+i], it is xored with the previous result of byte[i] ^ key[i]

Alright, looking at back the entire challenge, there’s a weird hex string embedded within the comment of 642C740D0C297E3A5E1B4D6A70346C24175D56485F7F2B3C0E1F1C6D716F3C2013095B405B2C2F385D491C62763930231A560E13507879390B414E36216B327C1A065E42022C2032

It seems that this is the ciphertext. Right now, we are missing the key. It appears that Sarah mentioned and love toby alot. I started to search for any string of length 8 as the key. babytoby seems to be a likely candidate for a key.

so, using python, chr(0x32 ^ ord(“b”)) == P

xoring the reminding bytes will give u the flag:


Leave a Reply

Your email address will not be published. Required fields are marked *