The third SecTalks is rather interesting, and requires some level of guesswork. Upon unzipping the challenge archive, we’re greeted with a number of files, with “index.html” immediately grabbing our attention as a potential entry point, and a number of interesting items in the “data” folder.
At a glance, the “index.html” file is a page of text with a comment submission form at the bottom – upon closer inspection, there’s some interesting functions in the source code:
In addition to this, there’s also a rather curious bit of code, setting a local storage variable by the name of “test”:
De-encoding it yields what appears to be ciphertext, so let’s set it aside for now.
Inspecting the source code further shows that when a user submits a comment via the comment form in “index.html”, the message is encrypted with a known public key, and then placed in the browser’s local storage. You can see this happening if you use the comment form in Chrome, and keep an eye on local storage via the developer tools (F12).
Helpfully, the private key to decrypt these messages, as well as a pre-built message decryption tool, is provided in the “data” folder. Unfortunately, the private key (“encrypted.json” in “privateKey.zip”) requires a password to extract.
Taking a look at “caesar.jpg”, we find a picture of Caesar, along with a number of what appears to be ciphertexts. Typically a Caesar cipher is not too difficult to crack – for each ciphertext, there’s only 26 possible plaintexts (or 255 if you assume that all characters are permitted – which doesn’t make sense given the ciphertext).
A little bit of guesswork comes into play here, as we have no idea what the rules might be. A hint provided during the challenge mentioned that the key had something to do with sectalks: so a little modification to a Caesar cipher brute-forcing script yields the result:
Using this password allows us to unzip the private key archive, and load the contents of “encrypted.json” into the decryption tool in the data folder. From there, it’s a simple matter of modifying “index.html” to stick the contents of the “test” local storage variable into a file, revealing the hidden message:
You can download the Caesar cipher brute forcing script here (for some unknowable reason I thought the password would be lowercase, it’s not).