502 words
3 minutes
🔐 PicoGym - credstuff
2025-11-25
Cryptography 🔐
PicoGym
/
ROT13

📂 Download challenge file.

Description: We found a leak of a blackmarket website’s login credentials. Can you find the password of the user cultiris and successfully decrypt it? The first user in usernames.txt corresponds to the first password in passwords.txt. The second user corresponds to the second password, and so on.
Difficulty: Medium
Author: Will Hong / LT ‘syreal’ Jones

Summary#

This challenge provides a leaked archive containing two files: a list of usernames and a list of passwords. Each username corresponds directly to the password on the same line number. The goal is to locate the user cultiris, find their associated password, and then decrypt it to obtain the flag.

Analysis#

We are given a tar archive named leak.tar:

Terminal window
$ file leak.tar
leak.tar: POSIX tar archive (GNU)

A quick reminder: tar (Tape ARchive) is a Linux utility used for packaging multiple files into a single archive. It’s commonly used for backups, data transfer, and compressing directory structures. Extracting it will reveal the files inside.

Let’s untar it

Let’s extract the archive:

Terminal window
$ tar -xvf leak.tar
leak/
leak/passwords.txt
leak/usernames.txt

Step 1, View the leaked usernames#

Terminal window
$ cat usernames.txt
engineerrissoles
icebunt
fruitfultry
celebritypentathlon
galoshesopinion
favorboeing
bindingcouch
entersalad
ruthlessconfidence
coupleelevator
remotesword
researchfall
alertborn
excitedcool
actressbogus
volcanicram
glassesspring
fixoutrigger
boozerfirework
therapistvigorous
withoutbelgian
treedon’t
healobligation
volunteerprofessor
tweedboilersuit
underwingpale
whirlmolar
crawlrake
sandpiperband
turbulentbrisk
strippedimminent
croakmuffler
netherrackdelay
harrascroak
leeryspiffy
mineshaftlevel
paragraphswarm
horizongrimacing
aheadmeek
grimacingstain
analysttooth
majoritygillette
droopyoatmeal
councilmonster
fencegreek
treaclerebel
kentishpartial
habitualregardless
overallglistening
cootnoise
victimscalloped
patienceyawl
depictnine
widoweveryone
survivalunlikely
clovestair
lardfacecrash
mewguitar
dellminer
croquetdroopy
drabparcel
platformcancel
sutehummus
fearlessherring
shypresident
deliverunsightly
swooshdelicious
resistancedistorted
...

Step 2, Count the usernames#

There are many usernames, so let’s count them:

Terminal window
$ wc -l usernames.txt
505 usernames.txt

Step 3, View the leaked passwords#

And I think it will be the same on the password.txt since line N of usernames.txt corresponds to line N of passwords.txt.

Terminal window
$ cat passwords.txt
CMPTmLrgfYCexGzJu6TbdGwZa
GK73YKE2XD2TEnvJeHRBdfpt2
UukmEk5NCPGUSfs5tGWPK26gG
kaL36YJtvZMdbTdLuQRx84t85
K9gzHFpwF2azPayAUSrcL8fJ9
rYrtRbkHvJzPmDwzD6gSDbAE3
kfcVXjcFkvNQQPpATErx6eVDd
kDrPVvMakUsNd7BvmJtK3ACY4
dvDvWjzXNk8WwqEzJ5P2FP5YH
86L5w4sH9ZXTCPAa5ExMSPFNh
qXFEg8ZasLxQhUYWnhTemgqxh
gd7panTqNpUvBXBxpGpcqP9X7
Y3KcHyg7kSf6RgX5THyjrw3g1
WkHQ78HaKgkcf8bHat9GbTJmj
LhY5mfRsaKjaueVhdeHqUrMKp
fcdy7jz9VmfPQcuHRnULJvwUf
fVsT4tJ5ahRUbBp4YEdVAvLtF
cLr6pyDpuvQyAda35CdcCsSgk
mkY39jWhLQAABWNg7GQQCqhr9
JPTeqgHpbTYra2jXn7KLvNXt1
BskbdvkHv8Dv9NAgRHJ3uwDG0
hD795qgYzpbhXGSYadJRJpRGB
WLVn9cV4NL7kZ2WCagP8jV2Gc
XccQXznLtdWbs6ga24tMEXNfe
kw6zFzfZvEGk6fxrMNQYUXeXh
XgqXaMhG65X4aP6GqadBAYKfs
fHfNeGsefznBCnpPvKxVk6au1
nb6ErH5LkVNyAD4mggFtdyVqn
J4jyAn9apZSERG52NHsAZPkTJ
MxFFeMG8GYpqTuFjBgeEZYyMx
HrrWkXXrTmmnyTWbSkMp9Ex5R
TW9wgrcfu6Ts5g7B52h35rLv9
96HpneHwr2NkwQTGapdGJ2zHH
Kbm4VSy5AwC5GJqdB7LyBQjmB
nUVsKGwX3aQfQbaVCFJhEEevs
wtcfmPjPWFtKr2dsJ3xHJTsEf
fNadeE2VUsZhvrp9jtSwAHLEV
Bu2RE6MNb6m3fEAB7ybzKYubN
FWT6WftJ4DjZaQkTF8g7cfPHJ
eLb8JZbmgVkkg8Um3M3cgBSJm
rXYhx9zD7sDEwrvJDq24hBw6D
Q4zpdfMkAccQUFhGtWxtysKFk
cBZJ76hxZFrSfUdubQXvRbnKx
t8jgSfmGcSdk6xcP5mq5NAXBG
NSAx3BZ4spPGgsSddB6tcq974
ZrqGJCkPKMTgNJsnjM7ZsDewP
JzrVE3xzLHJwbug7YU4cAdRLz
xMUtE5ZXeddJmmQVp5te8eMwX
93tVFsU4FnhATXdk4TFgscyE4
wKhzpAM9bTYDLUpnvWwD3kJG9
mRuTNPuN3xNvyPb4XQqqXcteN
WSxghvfrLaUyJuuds9VPPC9Tr
MNmUBhP89UyF5Y35mG6vWbF98
QKMa8FVXBapTfdGukHHjbyBGX
UZhEA4bBB4Ygeqc22G69eSH5B
qLdf6j7XCbq5VVSkwjKdfj8gX
HhFzWEGRNeHPLwaGxFDedkznR
UnYbztbH2HxJHugn8cXCvsJ9H
9AaAGz4Q5seQBQquBJFgVUBWQ
z2NWxfQedMaaCp4ud4QePyyFe
....

Step 4, Count the passwords#

As expected, the passwords file contains the same number of entries; I was right xD.

Terminal window
$ wc -l passwords.txt
505 passwords.txt

Solution#

Now let’s see if the username cultiris exist on usernames.txt using grep :

Terminal window
$ cat usernames.txt | grep "cultiris"
cultiris

Nice we have it here!

Now let’s locate the target username cultiris:

Terminal window
$ grep -n "cultiris" usernames.txt
378:cultiris

Perfect, cultiris is on line 378.

I can search manually or by using this:

Terminal window
$ sed -n '378p' passwords.txt
cvpbPGS{P7e1S_54I35_71Z3}

This looks like a flag, but it’s clearly not decrypted yet. The structure strongly resembles ROT13.

To confirm, we check DCODE’s Cipher Identifier:

alt text

It detects ROT13, just as suspected.

We can use this ROT13 Decoder and this gives us the flag :

alt text

⚡ Raikiri

🎉 Flag pwned!

Flag : picoCTF{C7r1F_54V35_71M3}

💡 TL;DR / Lesson Learned

Extract the tar archive → two files: usernames & passwords.
Line numbers correspond exactly between both files.
Locate cultiris → line 378.
Retrieve password from passwords.txt line 378.
Decrypt the ROT13-encoded string → flag appears

🔐 PicoGym - substitution2
🔐 PicoGym - morse-code
© 2026 Keshav Locknauth · 0xkakashi