¶ ¶ The natas11 problem contains a OTP (one-time-pad) vulnerability called a "many-time-pad". Likewise, the attach is called a "many-time-pad" attack. Below is some code that led to the solution and progression to the next level. We know our data structure is a jsob blob stored in a cookie value as cipher text because the lab has the PHP source that runs on the server-side with some data censored. And since we have access to the cookies in our browser, we can start there: In [7]: cookie_data = 'ClVLIh4ASCsCBE8lAxMacFMZV2hdVVotEhhUJQNVAmhSEV4sFxFeaAw==' This is totally base64 encoding. So we can import our base64 package: In [5]: import base64 Now lets see what happens if we try to base64 decode our cookie_data In [9]: base64 . decodestring ( cookie_data ) Out[9]: '\nUK"\x1e\x00H+\x02\x04O%\x03\x13\x1ap...