teax It is ambiguous on purpose - this is a hint to solving the challenge. The previous comment block explains that the challenge is about applying the SHA256 hash function so there are other clues for solving this challenge. I also provide Python scripts for examining the jpeg and extracting bytes from the jpeg. So there is a lot of assistance given to solvers.
SquidBoy can you send me a DM on Twitter @kcbowhunter? I can't post more here without giving away the solution. Those 3 fake keys are hints... you are close but still missing one important piece of the puzzle.
The hints are designed to be a little ambiguous, not necessarily misleading. Actually the first SHA256 with the string is just to show that using SHA256 of something makes a nice key for AES 256 CBC... that was the original purpose, I actually didn't intend for that to be misleading. But others have made the same comment as you so now I understand why some feel it was misleading. But since you solved the challenge without any assistance (at least from me) I hope you see my original intent was consistent with 'the shah of Gimli is the key', which is the main hint and also essentially the name of the challenge.
it was a very good challenge,
I always tend to take the wrong direction. For me the clues take on their meaning when I have solved the challenge. With more experience, I will understand more easily. I hope to see more of your challenges :-)
Thanks... the hints were not meant to be misleading, only ambiguous. If English is not your first language I can see where this might take you extra time. But certainly the main clue can be interpreted in multiple ways and that was intentional on my part. KeyMaker / VargasIsland / Scope are more well defined I would say. Thanks for taking time to solve my challenge and give your feedback.