Tool - Base64 Finder
Prefix-based Base64 search and decode tool.
Overview
Hey everyone ! Here’s another small script I wrote to help with CTF challenges. This one searches for any valid base64-encoded string that matches a given prefix. It’s particularly useful for CTF players who need to quickly locate flags—assuming they are encoded in base64.
The script can take a regular text prefix, encode it in base64, and then search for occurrences of that encoded string. Alternatively, you can provide a base64 prefix directly. Once matches are found, the script attempts to decode them and returns the decoded values.
I also included a special feature for CTFs : it can filter the results and only return decoded values that follow a flag format (e.g., event{...}).
It’s still a work in progress—there are a few bugs to fix, and I have plans to add more options in the future. Let me know if you have suggestions or feedback !
You can find the source code on my Github.
Usage
To run the script, use the following command :
1
b64find.py [FILE] [PREFIX]
[FILE]is the file you want to parse. It should contain one entry per line, like this:1 2 3 4 5
http://axjpc2n0zntpx2ftx2fux2lkaw90x3dpdg/ %aXJpc2N0ZntpX2FtX2FuX2lkaW90X3dpdGhfYmFk% % aXJpc2N0ZntpX2FtX2FuX2lkaW90X3dpdGhfYmF% """aXJpc2N0ZntpX2FtX2FuX2lkaW90X3dpdGhfYmF""" ...
[PREFIX]is the base64 prefix you are searching for. By default, the script assumes this is a regular text string, encodes it in base64, and then searches for matches. However, you can disable this behavior using options if you want to provide a base64 prefix directly.
By default, the script outputs all matching base64 values without decoding them.
Options
Summary
| Option name | Usage | Description |
|---|---|---|
| No encode | --no_encode | Disables automatic encoding of the prefix before searching. |
| Decode | --decode | Decodes found base64 values into readable text. |
| CTF | --ctf | Filters results to only return flags ending with }. |
| Render format | --r [RENDER] | Specifies the output format. |
| Extract output | --e [OUTFILE] | Saves the results to the specified file. |
| Index | --index | Adds an index when exporting results in CSV or JSON format. |
| No space | --no_space | Removes leading and trailing spaces in the output. |
| Quiet | --quiet | Suppresses the banner when running the script. |
No Encode
1
b64find.py [FILE] [PREFIX] --no_encode
- Utility : Disables automatic encoding of the prefix. Useful if you are directly providing a base64-encoded prefix.
- Default : By default, the script encodes the prefix in base64 before searching. This option prevents that behavior.
Decode
1
b64find.py [FILE] [PREFIX] --decode
- Utility : Decodes all base64 matches before displaying them, returning readable text instead of encoded values.
- Default : Disabled by default—results are shown as found in base64 format unless this option is enabled.
CTF
1
b64find.py [FILE] [PREFIX] --ctf
- Utility : Filters results to return only values ending with
}, which is a common flag format in CTF challenges. - Default : Disabled by default.
Limitations: This option is not foolproof—any extra character after the flag will cause it to be ignored. It should be used as a helper, not as a guaranteed flag-finding method.
Render
1
b64find.py [FILE] [PREFIX] -r or --render [RENDER]
- Utility : Changes the output format.
- Choices :
[RENDER]can betxt,csv,jsonortab. - Default : The default output format is
csv.
Save output
1
b64find.py [FILE] [PREFIX] -e or --extract [OUTFILE]
- Utility : Saves the results to the specified
[OUTFILE]. The output format follows the one defined by the render option. - Default : If no output file is specified, results are printed to the standard output.
Other options
No space
1
b64find.py [FILE] [PREFIX] --no_space
- Utility : Removes leading and trailing spaces from the output. Useful when redirecting results to a file or script.
- Default : By default, spaces are added for better readability in the standard output.
Add index
1
b64find.py [FILE] [PREFIX] --index
- Utility : Adds an index column when exporting results in CSV or JSON format.
- Default : The index is not included by default.
Quiet
1
b64find.py [FILE] [PREFIX] --quiet
- Utility : Suppresses the script’s banner when running.
- Default : The banner is displayed by default.
Example
To better understand how the script works, let’s go through a concrete example. We’ll start by running it without any options to observe the default output.
1
2
3
4
5
6
7
8
b64fing.py test.csv iris
# === OUTPUT ===
aXJpc2N0KKKK
aXJpc2N0ZnKKKKKKKKKKKKKK
aXJpc2N0ZntpX2FtX2FuX2lk
aXJpc2N0ZntpX2FtX2FuX2lkaW90X3dpdGhfYmFk
...
If we already have a base64-encoded prefix and don’t want it to be encoded again, we can use the --no_encode option:
1
b64fing.py test.csv aXJpc2N --no_encode
This will return the same type of output as the previous command, but without encoding aXJpc2N before searching.
If we want to automatically decode the base64 matches, we can use the --decode option:
1
b64fing.py test.csv iris --decode
We can also save the decoded results in a JSON file using the --render (-r) and --extract (-e) options:
1
b64fing.py test.csv iris --decode -r json -e results.json
This command will:
- Search for base64 matches starting with iris.
- Decode the results.
- Save them in JSON format to results.json.
Future Improvements
- Enhance the methodology for identifying valid CTF flags.
- Allow default behavior to be configured in a separate configuration file.
- Improve error handling to make the script more robust.
Conclusion
While simple, this script is, in my opinion, very useful. It allows you to quickly extract all valid base64-encoded values based on a prefix, and also provides the ability to decode those values instantly.
This tool is part of a larger toolkit I’m developing, primarily aimed at CTF practitioners. However, I hope it will be beneficial to a broader audience. I hope this guide was clear and that you find the script helpful! See you in the next one!
emree1