Solving "The Ancient Art vs. The Pretenders" CTF: A Complete Walkthrough

Welcome, aspiring alchemists! If you've been working through our ✨ The Ancient Art vs. The Pretenders ✨ Capture The Flag challenge, you've encountered four foundational cybersecurity concepts disguised as medieval alchemy. Just as true alchemists understood that transformation required depth over spectacle, mastering cybersecurity requires understanding the fundamentals beneath the surface.

This walkthrough will guide you through each challenge, explaining not just the answers, but the "why" behind them—because true mastery comes from understanding, not just solving.

🔮 Challenge 1: The Puffer's Proclamation - Caesar Cipher

The Challenge

You're presented with this encrypted text:

JXEKI_XLI_TYJJIV_WLMJXIH

The Solution

Answer: FLAG_THE_PUFFER_SHIFTED

How It Works

The Caesar cipher is one of the oldest and simplest encryption techniques, named after Julius Caesar who allegedly used it to protect military messages. It works by shifting each letter in the alphabet by a fixed number of positions.

In this challenge, each letter has been shifted forward by 4 positions:

• A becomes E

• B becomes F

• C becomes G

• ...and so on

  
  

To decrypt, we reverse the process by shifting backward by 4 positions:

• J → F

• X → T

• E → A

• K → G

• I → E

  
  

Let's decode the first word:

• J (shift back 4) = F

• X (shift back 4) = T

• E (shift back 4) = A

• K (shift back 4) = G

• I (shift back 4) = E

  
  

Result: FLAG

Continue this pattern for the entire string, and you get: FLAG_THE_PUFFER_SHIFTED

Real-World Application

While Caesar ciphers are far too simple for modern security, understanding them teaches you:

• The foundation of substitution ciphers

• Why rotation-based encryption needs larger key spaces

• How frequency analysis can break simple ciphers

  
  

Modern encryption like AES uses far more complex mathematical operations, but the principle of transformation remains the same.

🧪 Challenge 2: The Philosopher's Notes - Base64 Encoding

The Challenge

Decode this Base64-encoded string:

RkxBR19UUlVFX0FMQ0hFTVlfSVNfSU5ORVJfV09SSw==

The Solution

Answer: FLAG_TRUE_ALCHEMY_IS_INNER_WORK

How It Works

Base64 isn't encryption—it's an encoding scheme that converts binary data into ASCII text. It's widely used in web development, email attachments, and data transmission because it ensures binary data can be safely transmitted through systems that only handle text.

Base64 uses 64 characters: A-Z, a-z, 0-9, +, and /. The == at the end is padding to ensure the encoded data is a multiple of 4 characters.

To decode Base64:

Method 1: Browser Console Open your browser's developer console (F12) and type:

javascript

atob("RkxBR19UUlVFX0FMQ0hFTVlfSVNfSU5ORVJfV09SSw==")

Result: FLAG_TRUE_ALCHEMY_IS_INNER_WORK

Method 2: Online Decoder Use any Base64 decoder website—just paste the encoded string and click decode.

Method 3: Command Line On Linux/Mac:

bash

echo "RkxBR19UUlVFX0FMQ0hFTVlfSVNfSU5ORVJfV09SSw==" | base64 -d

Real-World Application

Base64 encoding is everywhere in cybersecurity:

• JWT tokens (JSON Web Tokens) use Base64 encoding

• Email attachments are transmitted as Base64

• Data URLs in HTML/CSS use Base64 for embedded images

• API authentication often involves Base64-encoded credentials
  

Remember: Base64 is encoding, not encryption. It provides zero security—anyone can decode it. It's meant for data representation, not protection.

⚗️ Challenge 3: The Hidden Formula - Source Code Investigation

The Challenge

Find the flag hidden within the page itself.

The Solution

Answer: FLAG_SILENT_WORK_BEATS_LOUD_PRETENSE

How It Works

This challenge teaches one of the most fundamental skills in web security: reading source code. The flag is hidden in an HTML comment within the page source.

To find it:

Method 1: View Page Source

• Windows/Linux: Press Ctrl + U

• Mac: Press Cmd + Option + U

• Or right-click anywhere on the page → "View Page Source"

Look for this section in the HTML:

html

<!-- FLAG_SILENT_WORK_BEATS_LOUD_PRETENSE -->

Method 2: Inspect Element

• Windows/Linux: Press F12 or Ctrl + Shift + I

• Mac: Press Cmd + Option + I

• Navigate through the HTML elements to find the comment
  

Real-World Application

In real penetration testing and bug bounty hunting, examining source code reveals:

• API keys and secrets accidentally left in JavaScript

• Hidden form fields with interesting parameters

• Commented-out code containing sensitive information

• Client-side validation that can be bypassed

• Debug endpoints developers forgot to remove
  

Always check:

• HTML source code

• JavaScript files

• CSS files

• Network requests in the browser's Developer Tools
  

Many security vulnerabilities are discovered simply by reading what developers thought was "hidden."

🔬 Challenge 4: The Sacred Geometry - JavaScript Analysis

The Challenge

Analyze this JavaScript function and determine what it returns:

javascript

function createFlag() {
    const base = "FLAG_THE_QUIET_ONES_";
    const ending = btoa("OUTLAST").slice(0,-2);
    return base + ending;
}

The Solution

Answer: FLAG_THE_QUIET_ONES_OUTLAST or FLAG_THE_QUIET_ONES_T1VUTEFTVA

How It Works

This challenge combines code reading with understanding JavaScript's built-in encoding functions.

Let's break down the function step by step:

1. Base string: "FLAG_THE_QUIET_ONES_"

2. The btoa() function: This is JavaScript's built-in function for Base64 encoding

   • btoa("OUTLAST") encodes "OUTLAST" to Base64

   • Result: "T1VUTEFTVA=="

3. The .slice(0,-2) method: This removes the last 2 characters (the padding ==)

   • "T1VUTEFTVA==".slice(0,-2) = "T1VUTEFTVA"

4. Final concatenation: "FLAG_THE_QUIET_ONES_" + "T1VUTEFTVA" = "FLAG_THE_QUIET_ONES_T1VUTEFTVA"
   

To solve this yourself:

Method 1: Browser Console

javascript

function createFlag() {
    const base = "FLAG_THE_QUIET_ONES_";
    const ending = btoa("OUTLAST").slice(0,-2);
    return base + ending;
}
createFlag(); // Run the function

Method 2: Manual Decoding Recognize that if the ending is Base64 encoded, decode it:

javascript

atob("T1VUTEFTVA==") // Returns "OUTLAST"

So the human-readable answer is: FLAG_THE_QUIET_ONES_OUTLAST

Real-World Application

Code analysis is critical in cybersecurity for:

• Reverse engineering obfuscated JavaScript in malware

• Finding logic flaws in authentication systems

• Identifying vulnerabilities in client-side validation

• Understanding API implementations before exploiting them
  

Many web applications try to "hide" logic in JavaScript, thinking users won't read it. Security professionals know that client-side code is never secret—anything running in the browser can be read, modified, and bypassed.

🎉 Victory: Claiming Your Reward

Once all four flags are captured, you've proven you're a true alchemist—someone who pursues depth and understanding over flashy displays. The modal appears with your reward link