Avatar

Labs / Base64 Detective

  • Challenge
  • Released 24 Jun 2025

Base64 Detective

Start the machine, hack the system, and find the hidden flags to complete this challenge and earn points!

1
Flags
1
Points
Challenge
Solution Available
Pro Exclusive
Start Lab Environment
~1-2 min setup
AWS dedicated
Private instance
Industry standard
Challenge

Solution Steps

1. Understanding the Challenge

The challenge presents a web page with multiple layers of Base64 encoded data hidden in various HTML elements. Each decoded string contains information that leads to the next step.

2. Initial Page Inspection

Open the challenge page and use browser developer tools (F12) to inspect the HTML source. You'll find several Base64 encoded strings in different locations:

Location 1: Hidden Input Field

In the HTML, there's a hidden input field with a Base64 encoded value:

<input type="hidden" id="clue1" value="RmxhZyBwYXJ0IDE6IDhmNzk=">

Decode this Base64 string: RmxhZyBwYXJ0IDE6IDhmNzk=

Result: Flag part 1: 8f79

Location 2: Data Attribute

In the main container div, there's a data attribute with encoded content:

<div class="container" data-clue="RmxhZyBwYXJ0IDI6IGIxN2EtZGZidg==">

Decode this Base64 string: RmxhZyBwYXJ0IDI6IGIxN2EtZGZidg==

Result: Flag part 2: b17a-dfbv

Location 3: CSS Comment

In the CSS section, there's a comment with encoded data:

/* RmxhZyBwYXJ0IDM6IDQzYjYtYTQyMy1jZWE= */

Decode this Base64 string: RmxhZyBwYXJ0IDM6IDQzYjYtYTQyMy1jZWE=

Result: Flag part 3: 43b6-a423-cea

Location 4: JavaScript Variable

In the JavaScript section, there's a variable with encoded content:

const finalClue = "MTI4N2JlZWE4";

Decode this Base64 string: MTI4N2JlZWE4

Result: 1287beea8

3. Combining the Flag Parts

Now combine all the decoded parts in order:

  1. Flag part 1: 8f79
  2. Flag part 2: b17a-dfbv
  3. Flag part 3: 43b6-a423-cea
  4. Final part: 1287beea8

4. Final Flag Assembly

Combine all parts to form the complete UUID flag:

8f79b17a-dfbf-43b6-a423-cea1287beea8

5. Verification

To verify the solution:

  1. The flag should be a valid UUID format (8-4-4-4-12 characters)
  2. It should be exactly 36 characters long
  3. All parts should combine correctly
  4. The flag should match the expected format

6. Technical Details

  • Base64 encoding uses A-Z, a-z, 0-9, +, and / characters
  • Each Base64 string was encoded using standard Base64 encoding
  • The flag was split into 4 parts and hidden in different HTML elements
  • Each part was encoded separately to create multiple layers
  • The challenge demonstrates how data can be hidden in plain sight

7. Learning Points

  • Base64 encoding is commonly used in web applications
  • Data can be hidden in various HTML elements and attributes
  • Web inspection skills are essential for security testing
  • Multiple layers of encoding can be used to hide information
  • Understanding encoding schemes helps in data analysis

8. Alternative Approaches

If the above method doesn't work, you can also:

  • Use online Base64 decoders
  • Use command line tools like base64 -d
  • Write a simple script to decode the strings
  • Use browser console to decode the strings

9. Security Implications

This challenge demonstrates several important concepts:

  • Data encoded in Base64 is not secure - it's just encoded, not encrypted
  • Hidden data in web pages can be easily discovered with proper tools
  • Client-side data should not be considered secure
  • Web inspection is a fundamental skill for security testing