Tags: caesar curl base64 

Rating:

**No files provided**

**Description**

> https://dance.wpictf.xyz
>
> by binam

**Solution**

Navigating to the URL in a browser immediately redirects us to [this helpful video](https://www.youtube.com/watch?v=dQw4w9WgXcQ#t=0m09s). After taking some inspiration from the video, we attempt a non-browser approach:

$ curl "https://dance.wpictf.xyz"

<title>Redirecting...</title>
<h1>Redirecting...</h1>

You should be redirected automatically to target URL: https://www.youtube.com/watch?v=dQw4w9WgXcQ#t=0m09s. If not click the link.

Still not terribly useful. Let's enable verbose mode for `curl`:

$ curl -v https://dance.wpictf.xyz
> GET / HTTP/1.1
...
>
< HTTP/1.1 302 FOUND
* Server nginx/1.13.12 is not blacklisted
< Server: nginx/1.13.12
< Date: Sun, 15 Apr 2018 19:35:02 GMT
< Content-Type: text/html; charset=utf-8
< Content-Length: 309
< Connection: keep-alive
< Location: https://www.youtube.com/watch?v=dQw4w9WgXcQ#t=0m09s
< Set-Cookie: flag=E1KSn2SSktOcG2AeV3WdUQAoj24fm19xVGmomMSoH3SuHEAuG2WxHDuSIF5wIGW9MZx=; Path=/
< Set-Cookie: Julius C.="got good dance moves."; Path=/
< Strict-Transport-Security: max-age=31536000
<

<title>Redirecting...</title>
...

Two cookies are given:

> `flag=E1KSn2SSktOcG2AeV3WdUQAoj24fm19xVGmomMSoH3SuHEAuG2WxHDuSIF5wIGW9MZx=`

This should be our flag. It looks like base64, but it produces garbage after decoding.

> `Julius C.="got good dance moves."`

Julius C. here is a hint / reference to Julius Caesar, and hence the [Caesar cipher](https://en.wikipedia.org/wiki/Caesar_cipher). This cipher applies to letters and leaves numbers and other data intact. Applying it to the decoded flag data is not much use (mostly binary data). So we try to apply the shift with all 25 keys to the base64 string itself:

#!/usr/bin/env python
import base64, string
flag = "E1KSn2SSktOcG2AeV3WdUQAoj24fm19xVGmomMSoH3SuHEAuG2WxHDuSIF5wIGW9MZx="
upper = string.ascii_uppercase
lower = string.ascii_lowercase
for key in range(1, 26):
shift = string.maketrans(
upper + lower,
upper[key:] + upper[:key] + lower[key:] + lower[:key])
print key, base64.b64decode(string.translate(flag, shift))

> [link to script](https://github.com/Aurel300/empirectf/blob/master/writeups/2018-04-13-WPICTF/scripts/web-150-dance-shift.py)

(Or use a website like [this](https://www.xarg.org/tools/caesar-cipher/).)

And, sure enough, with a key of 17, we get:

WPI{bInAm_do3sn,t_kn0w_h1w_t2_creaTe_chaIIenges}

Original writeup (https://github.com/Aurel300/empirectf/blob/master/writeups/2018-04-13-WPICTF/README.md#web--150-dance).