Byte Babies
JerseyCTF 2025: Encoded-Deception
Mar 30, 2025 - me - writeup, webauthor: @wxrth
Challenge Info:
Category: Web
TL;DR:
Poked around the website of a shady cyber-investigation agency, checked their JavaScript, and found a base64-encoded “Part 1” of a flag. Then sniffed out “Part 2” hidden in a response header from a PHP file. Decoded both parts, stitched ‘em together and boom got the full flag.
The Challenge (Solution):
The challenge gave us this website
http://encoded-deception.aws.jerseyctf.com/
Nothing seemed interactive on the surface. But the hint?
“Sometimes, secrets are buried in scripts…”
So I cracked open DevTools and went hunting.
Step 1 – Exploring:
Inside the Sources tab, under /assets/, there was a single JS file: casefiles.js.
function generateRandomHash(length) {
let result = '';
const characters = 'ABCDEFGHIJKLMNOPQRSTUVWXYZabcdefghijklmnopqrstuvwxyz0123456789';
for (let i = 0; i < length; i++) {
result += characters.charAt(Math.floor(Math.random() * characters.length));
}
return result;
}
const hash1 = generateRandomHash(16);
const hash2 = generateRandomHash(24);
console.log("Initializing Black Hat Investigations system...");
console.log("User session ID:", hash1);
console.log("Verification key:", hash2);
const secretMessage = "UGFydCAxOiBqY3RmdntteXN0M3J5";
console.log("Nothing to see here... or is there?");
const fakeData = [
"aGVsbG8gd29ybGQ=",
"ZGF0YXN0cmVhbQ==",
"U29tZXRoaW5nIHN1c3BpY2lvdXM="
];
function decodeFakeData(index) {
return atob(fakeData[index]);
}
console.log("Processing encrypted logs...");
setTimeout(() => {
console.log("Log entry:", decodeFakeData(Math.floor(Math.random() * fakeData.length)));
}, 2000);
async function fetchDummyData() {
return fetch('/info.php');
}
fetchDummyData().then(response => console.log(response));
That secretMessage variable caught my eye:
const secretMessage = "UGFydCAxOiBqY3RmdntteXN0M3J5";
Looks like base64 so I copied it, opened up dcode, to check it out.
Sure enough, the output gave me:
Part 1: jctf{myst3ry
First half of the flag secured. Time to track down the second half.
Looking back at the script, I saw this:
fetch('/info.php');
Which meant there might be something interesting in the network traffic…
Step 3 – Inspecting /info.php:
I reloaded the page with DevTools → Network open, clicked on info.php, and sure enough in the Response Headers I found this:
HTTP/1.1 200 OK
Date: Mon, 31 Mar 2025 10:58:01 GMT
Server: Apache/2.4.62 (Amazon Linux)
Important: UGFydCAyOiBfMHAzcjR0MTBufQ==
Keep-Alive: timeout=5, max=99
Connection: Keep-Alive
Transfer-Encoding: chunked
Content-Type: text/plain;charset=UTF-8
Theres a header named "Important"
Important: UGFydCAyOiBfMHAzcjR0MTBuf
It looked like another base64 string just like earlier. So I copied it, headed back to dcode.fr, and dropped it in.
Output:
Part 2: _0p3r4t10n}
Boom, second half of the flag successfully uncovered.
Step 4: Combineeeeeee!
Now with both pieces in hand:
- Part 1:
jctf{myst3ry - Part 2:
_0p3r4t10n}