The Challenge

Our main page for level 12 is very simple; we just have the same picture of Yoda as level 1, and the text “dig deeper!”

Let’s jump into the source code for some more in-depth analysis than normal. If you have been looking at the source code of nearly every level up to this point, you should find something different than normal in the <head> section.

<!DOCTYPE html>
<html lang="en">
  <head>
    <meta charset="utf-8">
    <meta name="viewport" content="width=device-width, initial-scale=1.0">
    <meta name="description" content="a ctf for newbies">
    <title>Infosec Institute n00bs CTF Labs</title>
    <link href="css/bootstrap.css" rel="stylesheet">
    <link href="css/custom.css" rel="stylesheet">
    <link href="css/design.css" rel="stylesheet">
  </head>

We have an extra CSS file than we did in any of the other levels. CSS files are rarely suspicious, but I decided to look into design.css because this was the first time seeing it there.

.thisloveis{
	color: #696e666f7365635f666c616769735f686579696d6e6f7461636f6c6f72;
}

This isn’t normal. This is all that’s in the file, and that is not a valid color code. Also notice all the 6’s; that’s an indication that this is hex-encoded ASCII text, just like in a previous level. Decode it with your choice of hex-to-ascii tool and you’ll get the flag infosec_flagis_heyimnotacolor

Lessons Learned

Attention to detail…

CSS files normally won’t contain anything interesting, but if all else fails, it’s another place you could look. In this case, it was suspicious because no other challenge used it. Why should this one be any different?

Seeing that long of a color value in a CSS file should also raise your suspicions, even if you are unfamiliar with CSS. This is also another case of noticing a pattern; there are a significant number of 6’s in that string, which tells us that this probably a hex-encoded ASCII string, just as in previous levels.