Write-Up Advent of CTF 2020 Challenge 8


The NOVI University Of Applied Sciences is offering an Advent CTF challenge for December 2020. The CTF is created by our community member of the and Chief Lecturer for Cyber Security at the NOVI University, Arjen Wiersma. If you want to participate in these CTF challenges, you can create an account on the website

Challenge 8

  • Description: If only you could figure out where to go.
  • 800 Points

Let’s start with this challenge! I visited the challenge URL and ended up on the webpage below. This webpage contains the message: Did you know that the fastest robot can solve rubiks cube in 0.887 sedconds? No, I wasn’t aware of that. Learned something today…


The message is talking about a robot. When you talk about a robot on a webpage, in a CTF, you are talking about robots.txt. Let’s check the robots.txt. This is a plain text file, that consists of one or more rules. Each rule blocks or allows access to a given crawler to a specific directory file path on your websites. On the other hand, for a human, this file can also be read out and can directly access the file path defined in the rules.

Let’s check this file with a curl request.

~$ curl
# robots.txt generated by
User-agent: *
Disallow: /
Disallow: /cgi-bin/

Disallow: /encryption/is/a/right
Disallow: /fnagn/unf/znal/cynprf/gb/tb

Let’s check the first Disallow rule This page contains a Base64 encoded string.


Let’s decode this string.

~$ echo "RW5jb2RpbmcgYW5kIGVuY3J5cHRpb24gYXJlIDIgZGlmZmVyZW50IHRoaW5ncy4=" | base64 -d
Encoding and encryption are 2 different things.

Yep, that’s true. Encryption is part of cryptography and is usually on a secret key, and with only the secret key, the message can be decrypted to the original message.


Ok, let’s analyze the URL. The URL is in some strange format. After passing this to CyberChef, it seems that the URL is a ROT13 cipher. ROT13 is a simple letter substitution cipher that replaced a letter with the 13th letter after it in the alphabet. This URL hides the message: /santa/has/many/places/to/go.


After replacing the ROT13 cipher with the decoded file path, we get the flag NOVI{you_have_br@1ns_in_your_head}.


Thanks for reading!

This post is licensed under CC BY 4.0 by the author.