Brute Force

Posted on Jun 04 2019 - 1:25pm

Normally, to access a password protected website page the password you enter is sent from your browser to the website. The website validates the password on its side (i.e. you can't see what is happening) and then serves up the protected page back to you if the password you entered is correct.

For the password page of this key, the server is not involved.  The message we want to view is stored inside the HTML of the page in encrypted format.  The algorithm (code) to decrypt it also there.  You enter a password and the page checks if the password is correct without going to the server.

That means that you have the encrypted message and can run a dictionary attack against it, using the algorithm provided.  A dictionary attack is using a long list of common words and trying them one by one until you find the right word, or words, that are the password.

A Twitter user named John Cantrell, @JohnCantrell97 on Twitter, figured this out very quickly and solved the next two keys using this method, without traveling to any location.  He has posted a full write up on how he did this on GitHub.

The organizers of the hunt have kept this format for all future keys so far.  If you can find the URL, the encrypted message is there for you to try and hack.