My Experience Participating in ByteBreach 2025.1

My Experience Participating in Bytebreach 2025.1
Regine Cyrille
IMG_3344 Regine Cyrille

Introduction

I recently participated in the ByteBreach 2025.1 challenge.

This scavenger hunt required a mix of OSINT, DNS analysis, base64 decoding, HTTP exploitation, and cryptographic decryption to discover hidden tokens (and the search results also included broken keys; I had my theory about them already 🧐, do you? )

The challenge statement was both cryptic and intriguing:


            “ByteBreach 2025.1 challenge
I have my suspicions...
Hey there. I think I've seen some people in the YieldCat.com team are building some other platform.
I think they are going to mess up the security, and you should investigate.
I know I'm sending you on a wild runaround. But so are the hackers, and they will start with some OSINT.
Just be very patient.”

In this blog post, I will walk you through the step-by-step process I followed during the challenge, the tools I used, and the lessons I learned along the way.

Image of Successful Participants for the ByteBreach 2025.1 Challenge

Step 1: Subdomain Enumeration

I began mapping out the target domain.

I used the Pentest-Tools OSINT platform to enumerate subdomains for yieldcat.com:

URL used:
https://pentest-tools.com/information-gathering/find-subdomains-of-domain?view_report=true

The scan revealed three subdomains:

  • runaround.yieldcat.com (IP: 216.24.57.1)
  • reporter.yieldcat.com (IP: 216.24.57.1)
  • www.yieldcat.com (IP: 216.24.57.1)

Step 2: Finding Token 1

I navigated to runaround.yieldcat.com and immediately found a Base64-encoded message embedded in the page.

The encoded string was:


            eyJtZXNzYWdlIjogIkV2ZW4gaWYgaXQncyBub3QgRE5TLCBpdCdzIGFsd2F5cyBETlMiLCAiZGF0YSI6IHsiVG9rZW5fMSI6ICJBbmFfS2hvdXJpIiwgIkJyb2tlbl9LZXlfMSI6ICJTY3JpbSJ9fQ==

After decoding it with a Base64 decoder, I received this JSON output:


            {
  "message": "Even if it's not DNS, it's always DNS",
  "data": {
    "Token_1": "Ana_Khouri",
    "Broken_Key_1": "Scrim"
  }
}

Thus, Token 1: Ana_Khouri and Broken_Key_1: Scrim were successfully extracted.

Step 3: Finding Token 2 via DNS TXT Records

Next, I used DNS analysis to gather more clues (based on the hint provided with token 1).

I executed the following command on Kali:


            nslookup -type=TXT yieldcat.com

I got three sets of encrypted messages:


            49207468696e6b20796f75206e65656420746f207472792074686520506f73742061742072756e61726f756e64

which decodes (using xxd -r -p) to:

"I think you need to try the Post at runaround"


            VG9rZW5fMjogQ2FsdmluX1N5bHZlc3Rl

which decodes from Base64 to:

"Token_2: Calvin_Sylveste"

and


            "QnJva2VuX0tleV8yOiBzaGF3"

which decodes to:

"Broken_Key_2: shaw"

Thus, Token 2: Calvin_Sylveste and Broken_Key_2: shaw were found.

Step 4: Finding Token 3 via an HTTP POST

Following the earlier hint ("try the Post at runaround"), I sent an HTTP POST request to runaround.yieldcat.com:


            curl -X POST https://runaround.yieldcat.com

The response was a Base64-encoded JSON message.

After decoding, I obtained:


            {
  "message": "I keep the weapons cache in my nostalgiaforinfinity bucket in the us east one, in a text about pattern_jugglers",
  "data": {
    "Token_3": "Nevil_Clavain",
    "Broken_Key_3": "Suit"
  }
}

Hence, Token 3: Nevil_Clavain and Broken_Key_3: Suit were retrieved.

Step 5: Finding Token 4 (Old Cryptgraphy)

I then downloaded the file pattern_jugglers.txt from:


            https://nostalgiaforinfinity.s3.amazonaws.com/pattern_jugglers.txt

The file content was as follows:


            I've been working hard to find the secrets. 

This is no longer a safe place to share data. 

I don't even want to leave stuff obvious so i put it in AES256 CBC crypt. Do your work for the key, repetition is the mother of all knowledge: https://www.w3.org/History.html [1991/December/4]

ZUbG9utX0sQNDzbwyZLV528SMvBN5MTnKbAlIzcfx0g8UOWdwsMfRulCZDQ3/jTb5CTlFzyZEnW1kfuBVnF+8RV/lRPFKWS+kRF5s7BZQgtimxaN/i/pz0Pm8rPAGQidH2QuwAjBswiIz0pn9D1Pj1atZDyAfzcFqsSu7/wmNqo+4A8Nyid/zJQEF/U0iXogELMwU7l74/Bf0bxgZerCY08stExz5T2LCEGmMdqt2aU==

No kidding, this was the hardest for me.

I still couldn't get the key to decrypt the encrypted message after many tries...

Apparently, it was tough for many others as well, so they provided an additional hint:

Using the additional information and what I already knew, the hint was that the encryption used a book cipher with the W3C History page, and the location “1991/December/4” indicated where to look.

I interpreted this as “the 4th word in the December 1991 section” which turned out to be "demonstration".

To build a 32-byte AES key, I repeated the word "demonstration" as follows:

  • "demonstration" is 13 bytes.
  • Repeating it twice yields 26 bytes; then, appending the first 6 characters of a third repetition gives exactly 32 bytes.
  • The final key became: demonstrationdemonstrationdemons

Using this key, I decrypted the ciphertext (the last line of the file) using AES256 CBC with PKCS5Padding via an online AES decryption tool.

The decrypted output was:


            We have moved everything to https://run.mocky.io/v3/2de4b1b7-0121-4a78-8871-14ee80ee71f8
But you MUST LOOK AT ALL THE DETAILS!!!
Token_4: Ilia_Volyova
Broken_Key_4: Mor

Therefore, Token 4: Ilia_Volyova and Broken_Key_4: Mor were found.

Step 6: Attempt to Find Token 5

To locate Token 5, I performed extensive enumeration on the endpoint:


            https://run.mocky.io/v3/2de4b1b7-0121-4a78-8871-14ee80ee71f8

I used multiple tools and techniques:

- wget for recursive download:


            wget -r -np -k https://run.mocky.io/v3/2de4b1b7-0121-4a78-8871-14ee80ee71f8

(This returned a 404 error.)

- curl to download the page source and grep for keywords:


            curl -s https://run.mocky.io/v3/2de4b1b7-0121-4a78-8871-14ee80ee71f8 -o page.html
grep -iE "token|api_key|secret|admin|password" page.html

(No hidden data was found.)

- Nikto to scan the URL:


            nikto -h https://run.mocky.io/v3/2de4b1b7-0121-4a78-8871-14ee80ee71f8

(The scan returned header details and a 404 status but no token.)

Directory fuzzing with tools like ffuf and dirsearch

(These did not reveal any additional content.)

I also considered whether the numbers (such as the UUID or the Sozu-Id) might decrypt to hidden data, but they appear to be unique identifiers rather than encoded clues.

After trying these various methods, I strongly suspect the page was removed or there was a similar issue. (there was an issue, it seems 😅)

I also believe that the different Broken_Key fragments obtained so far—Scrim, shaw, Suit, Mor—might be intended to be combined to form the final key required to unlock Token 6 (yeah, this was the hunch I had at the start 🙃)

Step 7: Finding Token 6 via Docker Image Analysis (Post Challenge Submission)

With Token 5 unavailable, further investigation made it difficult to inspect the HTTP headers of the removed endpoint.

With a hint from a friend, he mentioned a header that pointed to a Docker image file hosted on Docker Hub.

The Docker repository is:


            https://hub.docker.com/r/beyondmachines/working_image_1
        

            docker pull beyondmachines/working_image_1

What was left to do was pull and analyze this Docker image, and within it discover a file named final.txt.gpg.

Decrypting this GPG-encrypted file required a passphrase.

According to the challenge instructions after discovering token 5, the passphrase concatenates all the Broken_Key fragments obtained so far.

The Broken_Key fragments were:

  • Broken_Key_1: Scrim
  • Broken_Key_2: shaw
  • Broken_Key_3: Suit
  • Broken_Key_4: Mor
  • Additionally, the friend provided Broken_Key_5: wenna

Concatenating these fragments in order gives the final passphrase:
Scrimshawsuitmorwenna

Using this passphrase can be used to decrypt final.txt.gpg

(e.g., via GPG on the command line):


            gpg --decrypt final.txt.gpg

Final Thoughts

This challenge was a fantastic blend of OSINT, DNS analysis, cryptographic decoding, and creative problem-solving.

While I successfully uncovered four tokens:

  • Token 1: Ana_Khouri | Broken_Key_1: Scrim
  • Token 2: Calvin_Sylveste | Broken_Key_2: shaw
  • Token 3: Nevil_Clavain | Broken_Key_3: Suit
  • Token 4: Ilia_Volyova | Broken_Key_4: Mor

Overall, the ByteBreach 2025.1 challenge was an enriching experience that pushed me to explore various techniques—from traditional OSINT to advanced cryptographic puzzles (even old cryptography, haha 😅)

I learned the importance of persistence, thorough documentation, and creative thinking in cybersecurity challenges.

Thank you for reading, and I hope my experience inspires others to dive deep into the world of digital forensics and challenge-solving!

PS: Bozidar Spirovski, the creator of the challenge, shares his insights on how they built the challenge in his podcast: Cybersecurity podcast - State of (In) Security, here:


Are you interested in participating in CTFs?

Join a Team and participate in TryHackMe's newly launched one, Hackfinity Battle, or the amazing PicoCTF

Made With Traleor