0xkakashi

🐛 Bug Hunting Methodology

Wed, 13 May 2026 00:00:00 GMT

First post in the Bug Hunting section. This is my repeatable methodology, refined over time. I'll edit and expand as I learn.

1. Target intake

Before any tool runs:

Confirm you have explicit permission to test the target (self-owned, authorized engagement, or a public VDP). No permission, no testing.
Understand what the target actually does. A bug that's noise in one threat model can be P1 in another.
Map out what's in scope and what's off-limits. Stay inside that boundary the entire time.

2. Recon

Subdomain enumeration: amass, subfinder, crt.sh for cert transparency
Tech fingerprinting: wappalyzer, whatweb, httpx for response headers
Content discovery: feroxbuster / ffuf with curated wordlists by tech stack
JS analysis: pull all JS, search for endpoints, secrets, internal API paths

I lean heavily on my own RECOG.py pipeline to chain these.

3. Bug classes I prioritize (web)

In rough order of impact on most targets:

IDOR / broken access control: still the highest-impact class on most web apps
Auth bypass / session handling: race conditions, token reuse, OAuth misconfig
SSRF: especially via image fetchers, webhooks, URL parameter parsing
Server-side template injection: when frameworks expose user-rendered templates
Business logic: race conditions, state machine abuse, price/quantity manipulation
Stored XSS in admin / privileged surfaces: high impact, often overlooked

XSS in user-facing surfaces is fine but lower impact, so go for higher-leverage classes first.

4. Triage and write-up

Before reporting:

Reproduce on a clean account / browser (no extensions, no logged-in cookies)
Capture minimal repro steps in 3 to 5 lines
Describe impact in business terms, not just "I can call X endpoint"
Provide remediation guidance. Make it easy for the team to fix it.

5. Ethics

Never test outside what you're authorized to test. Period.
No data exfiltration beyond proof of impact. One record beats a full dump.
Disclose responsibly. Coordinate with the team, don't publish until they've had time to fix and are okay with it.

This is a living document. I'll update it as my methodology evolves.

🌐 Security Platforms I Use

Wed, 13 May 2026 00:00:00 GMT

The full grid with logos and direct links lives at /platforms. This post is the narrative version: what each platform is for, when to use it, and what I've personally got out of them.

Labs (interactive environments)

These are the boot-to-root and hands-on-curriculum platforms. Real machines or guided environments to exploit.

TryHackMe is where I started. Best on-ramp for someone new to offensive security. Guided rooms, learning paths, beginner-friendly. Once you finish the SOC Analyst or PenTester path you're ready for the harder stuff.
HackTheBox is the next step. No hand-holding, real machines, active community. Use the main platform for boxes, HTB Academy for structured paths (paid, so I lean on the free tier).
HackMyVM is like Vulnhub but with online flag submission and a leaderboard. Good if you want to root machines but don't want to download VMs.
Hackviser is a newer entry, focused on practical pentesting upskilling with certifications (CAPT, CWSE, CSOA). Free tier is generous.
PortSwigger Web Security Academy is the gold standard for web. 100% free, deep, well-maintained. If you're doing any web work, you have to do these labs.
Hacker101 by HackerOne. Free CTF labs covering common web bug classes. No bounty involvement needed to use it.

CTF Practice (challenge-based)

Standing challenges across categories. Solve at your own pace.

CyLab Security Academy (formerly picoCTF / PicoGym) is the easiest on-ramp. Carnegie Mellon CyLab's beginner-friendly platform. Annual competition + an always-on challenge gym.
CryptoHack is the best crypto-specific platform out there. I've done 33 challenges and counting. Math-heavy in the upper tiers, which is the fun part.
Root-Me is huge. 300+ challenges across web, crypto, network, forensics, RE. Older but still active.
CTFlearn is simpler challenges, good for filling skill gaps.
pwn.college is binary exploitation taught dojo-style. The belt progression makes it feel like a real curriculum.
RingZer0 CTF has a huge catalog (300+) across multiple categories. Long-running and underrated.
Pwnable.tw is for serious binary exploitation. Authored by top DEFCON CTF players. Don't start here.
Webhacking.kr is a veteran Korean platform focused on web exploitation. Classic SQLi / XSS / auth bypass focus.
FlagYard is a relatively new platform with realistic-feeling challenges.
247CTF is always-on with a modern UI and a balanced category mix.
ImaginaryCTF runs monthly events plus a permanent catalog.
MetaCTF is team-style practice with an emphasis on realistic scenarios.
CTFGuide is more of a learning platform but with challenge progression.
Crackmes.one is the spot for reverse engineering challenges specifically.
PyDefis is French Python-focused challenges with crypto and security flavor.
Hack.arrrg.de is a smaller German CTF platform.

Blue Team / SOC

Defensive-focused training. SIEM, IR, threat hunting, malware analysis.

LetsDefend is where I've earned the most badges. SOC Analyst learning path, hands-on alert triage, real-feeling tickets. Highly recommend for anyone going into SOC work.
CyberDefenders runs blue team CTFs and labs on real incident data (memory dumps, packet captures, log archives).
Blue Team Labs Online is similar to CyberDefenders, with more focus on threat hunting scenarios.

CTF Tracker

CTFtime isn't a challenge platform. It's where every live CTF event gets listed, and where individual and team rankings live across the whole CTF universe. If you compete, you should have a profile here.

Where to start

If you're new and reading this, my unfair-but-useful advice:

Do all of TryHackMe's SOC Analyst (or PenTester) path
Pick a specialty and dig in: HackTheBox for offensive, LetsDefend for blue team
Compete in one CTFtime-listed event with a team
Pick a vertical you actually enjoy (web / pwn / crypto / RE) and go deep on the platform that specializes in it

Don't try to do everything on every platform. Breadth here is a trap.

🔐 PicoGym - C3

Wed, 31 Dec 2025 00:00:00 GMT

<a href="/files/PicoGym/Cryptography/C3/convert.py" download>📂 Download encoder.</a>
<a href="/files/PicoGym/Cryptography/C3/ciphertext" download>📂 Download ciphertext.</a>

Description: This is the Custom Cyclical Cipher! Enclose the flag in our wrapper for submission. If the flag was "example" you would submit "picoCTF{example}".
Difficulty: Medium
Author: Matt Superdock

Summary

This challenge involves C3 (Custom Cyclical Cipher), a custom encryption algorithm that uses differential encoding with lookup tables. We're given the encoder program and ciphertext, but need to reverse-engineer the decryption process. By understanding how the cipher works, we can write a simple reversal script to recover the original flag.

Analysis

Challenge Files

We have two components:

convert.py - The encoder/encryption program that shows us the algorithm
ciphertext - The encrypted message we need to decrypt

How the Encryption Works

Here's the complete encoder program:

import sys
chars = ""
from fileinput import input
for line in input():
  chars += line

lookup1 = "\n \"#()*+/1:=[]abcdefghijklmnopqrstuvwxyz"
lookup2 = "ABCDEFGHIJKLMNOPQRSTabcdefghijklmnopqrst"

out = ""

prev = 0
for char in chars:
  cur = lookup1.index(char)
  out += lookup2[(cur - prev) % 40]
  prev = cur

sys.stdout.write(out)

Breaking down the algorithm:

Reading Input:
```
from fileinput import input
for line in input():
  chars += line
```
- fileinput.input() reads from files passed as command-line arguments (or stdin)
- This loops through each line in the input file
- All lines are concatenated into the chars variable
- So if the plaintext file has multiple lines, they're all combined into one string
The Lookup Tables:
- lookup1 = \n "#()*+/1:=[]abcdefghijklmnopqrstuvwxyz (41 characters - valid plaintext alphabet)
- lookup2 = ABCDEFGHIJKLMNOPQRSTabcdefghijklmnopqrst (40 characters - valid ciphertext alphabet)
Differential Encoding Process:
- For each character in the input plaintext:
  - Find its position in lookup1 (call this cur)
  - Calculate the difference from the previous position: (cur - prev) % 40
  - Use this difference as an index into lookup2 to get the encrypted character
  - Save the current position as prev for the next iteration
The "Cyclical" Part:
- The modulo 40 operation wraps differences around, creating a cyclic pattern
- This is why it's called the "Custom Cyclical Cipher"

Example Walkthrough

Let's say we're encrypting "ab":

First character 'a':
- Index in lookup1: 33
- prev = 0
- difference = (33 - 0) % 40 = 33
- lookup2[33] = 'h'
- Output: 'h', prev = 33
Second character 'b':
- Index in lookup1: 34
- prev = 33
- difference = (34 - 33) % 40 = 1
- lookup2[1] = 'B'
- Output: 'B', prev = 34
Final ciphertext: "hB"

The Encrypted Message

DLSeGAGDgBNJDQJDCFSFnRBIDjgHoDFCFtHDgJpiHtGDmMAQFnRBJKkBAsTMrsPSDDnEFCFtIbEDtDCIbFCFtHTJDKerFldbFObFCFtLBFkBAAAPFnRBJGEkerFlcPgKkImHnIlATJDKbTbFOkdNnsgbnJRMFnRBNAFkBAAAbrcbTKAkOgFpOgFpOpkBAAAAAAAiClFGIPFnRBaKliCgClFGtIBAAAAAAAOgGEkImHnIl

This is what we need to decrypt.

Solution

Reversing the Encryption

Since encryption uses only addition and modulo, it's easily reversible:

Encryption: difference = (cur - prev) % 40 â†’ lookup2[difference]

Decryption: We reverse this:

Find the encrypted character in lookup2 to get the difference
Add the difference to prev: cur = (difference + prev) % 40
Look up the character in lookup1
Update prev for the next character

Decryption Script

lookup1 = "\n \"#()*+/1:=[]abcdefghijklmnopqrstuvwxyz"
lookup2 = "ABCDEFGHIJKLMNOPQRSTabcdefghijklmnopqrst"

ciphertext = "DLSeGAGDgBNJDQJDCFSFnRBIDjgHoDFCFtHDgJpiHtGDmMAQFnRBJKkBAsTMrsPSDDnEFCFtIbEDtDCIbFCFtHTJDKerFldbFObFCFtLBFkBAAAPFnRBJGEkerFlcPgKkImHnIlATJDKbTbFOkdNnsgbnJRMFnRBNAFkBAAAbrcbTKAkOgFpOgFpOpkBAAAAAAAiClFGIPFnRBaKliCgClFGtIBAAAAAAAOgGEkImHnIl"

plaintext = ""
prev = 0

for char in ciphertext:
    # Step 1: Find the difference from lookup2
    diff = lookup2.index(char)
    
    # Step 2: Calculate the original index
    cur = (diff + prev) % 40
    
    # Step 3: Get the plaintext character
    plaintext += lookup1[cur]
    
    # Step 4: Update prev for next iteration
    prev = cur

print(plaintext)

Running the Script

$ python decrypt.py ciphertext
#asciiorder
#fortychars
#selfinput
#pythontwo

chars = ""
from fileinput import input
for line in input():
    chars += line

for i in range(len(chars)):
    if i == b * b * b:
        print chars[i] #prints
        b += 1 / 1

Understanding the Decrypted Output

The decrypted text is actually a Python script! Looking at it carefully:

Comments: #asciiorder, #fortychars, #selfinput, #pythontwo
A loop that prints characters at specific positions: where i == b * b * b

This means it prints at positions: 1Â³=1, 2Â³=8, 3Â³=27, 4Â³=64, 5Â³=125, 6Â³=216... (perfect cubes!)

Fixing the Script

The decrypted script had some issues (using / instead of proper integer, old Python 2 syntax):

#asciiorder
#fortychars
#selfinput
#pythontwo

chars = ""
from fileinput import input
for line in input():
    chars += line

b = 1

for i in range(len(chars)):
    if i == b * b * b:
        print(chars[i], end='')  # Fixed: Python 3 syntax
        b += 1

Changes made:

Changed b = 1 / 1 to b = 1 (proper integer)
Changed print chars[i] to print(chars[i], end='') (Python 3 syntax)
Changed b += 1 / 1 to b += 1 (proper increment)

Extracting the Flag

Running the fixed script extracts characters at cube positions:

Position 1 (1Â³): 'a'
Position 8 (2Â³): 'd'
Position 27 (3Â³): 'l'
Position 64 (4Â³): 'i'
Position 125 (5Â³): 'b'
Position 216 (6Â³): 's'

The hidden flag: adlibs

$ cat decrypted.txt | python solve.py
adlibs

:::note[âš¡ Raikiri] 🎉 Flag pwned! :::

Final answer: picoCTF{adlibs}

:::note[💡 TL;DR / Lesson Learned] âœ… Differential Encoding - Encrypting based on differences between consecutive positions
âœ… Lookup Tables - Using predefined character mappings for substitution
âœ… Modular Arithmetic - The % 40 creates the cyclic behavior
âœ… Stateful Cipher - The cipher maintains state (prev) affecting each character
âœ… Reversible Operations - Addition and modulo are easily reversed for decryption
âœ… Layered Puzzles - The plaintext itself contains another puzzle (cube position extraction) :::

🔐 PicoGym - New Caesar

Tue, 16 Dec 2025 00:00:00 GMT

<a href="/files/PicoGym/Cryptography/New Caesar/new_caesar.py" download>📂 Download challenge file.</a>

Description: We found a brand new type of encryption, can you break the secret code (Wrap with picoCTF{}) fegdeogdgecoeocgcgchcfcffccfca
Difficulty: Medium
Author: madStacks

Summary

This challenge involves breaking a "New Caesar" cipher that combines two encryption techniques:

Base-16 encoding: The flag is converted to binary and encoded using only 16 alphabet characters
Shift cipher: Each encoded character is shifted by a secret key (which is only 1 character long)

Since the key is single character, we can brute-force all 16 possible keys to find the original flag.

Analysis

We are provided with a Python file called new_caesar.py:

$ file new_caesar.py 
new_caesar.py: Python script, ASCII text executable

Here's the complete code:

import string

LOWERCASE_OFFSET = ord("a")
ALPHABET = string.ascii_lowercase[:16]

def b16_encode(plain):
	enc = ""
	for c in plain:
		binary = "{0:08b}".format(ord(c))
		enc += ALPHABET[int(binary[:4], 2)]
		enc += ALPHABET[int(binary[4:], 2)]
	return enc

def shift(c, k):
	t1 = ord(c) - LOWERCASE_OFFSET
	t2 = ord(k) - LOWERCASE_OFFSET
	return ALPHABET[(t1 + t2) % len(ALPHABET)]

flag = "redacted"
key = "redacted"
assert all([k in ALPHABET for k in key])
assert len(key) == 1

b16 = b16_encode(flag)
enc = ""
for i, c in enumerate(b16):
	enc += shift(c, key[i % len(key)])
print(enc)

Understanding the Encryption

Step 1: Setting up the variables

LOWERCASE_OFFSET = ord("a") â†’ This is 97, used to convert letters to numbers
ALPHABET = string.ascii_lowercase[:16] â†’ This creates a reduced alphabet: a, b, c, d, e, f, g, h, i, j, k, l, m, n, o, p (only 16 characters)

Step 2: The b16_encode function

This function converts plaintext to a special base-16 format. Here's what it does step-by-step:

Takes each character from the flag
Converts it to 8 binary digits (its ASCII value in binary)
Splits those 8 digits into two groups of 4 digits each
Treats each group as a number (0-15)
Maps each number to a letter (a=0, b=1, c=2... p=15)
Combines these two letters to encode one character

Example: Encoding the letter 'a'

ASCII value: 97
Binary form: 01100001
First 4 bits: 0110 = 6 in decimal â†’ maps to letter g
Last 4 bits: 0001 = 1 in decimal â†’ maps to letter b
Final encoded result: gb (represents the original 'a')

Step 3: The shift function

This function applies a simple shift cipher (like the traditional Caesar cipher):

Takes an encoded character and a key character
Converts each to a number (a=0, b=1, c=2... p=15)
Adds the two numbers together
Uses modulo 16 to wrap around if needed (so it stays in the a-p range)
Converts the result back to a letter

Example: Shifting 'g' with key 'c'

'g' = 6, 'c' = 2
6 + 2 = 8
8 maps to letter 'i'
Result: 'i'

Step 4: Encryption process The algorithm:

Encodes the flag using b16_encode
For each character in the encoded message, shifts it by the key
Since len(key) == 1, the same single key character is used for all positions

Key Weakness

The assertion assert len(key) == 1 tells us the key is only 1 character long. This means there are only 16 possible keys (a through p). We can brute-force all of them!

Solution

Since we know:

The encrypted message: fegdeogdgecoeocgcgchcfcffccfca
The key is single character from alphabet {a-p}
We need to reverse the process

We'll:

Try all 16 possible keys
For each key, decrypt the message
Decode the base-16 result back to plaintext
Find which result looks like a readable flag

Creating the Decryption Script

My solution:

import string

LOWERCASE_OFFSET = ord("a")
ALPHABET = string.ascii_lowercase[:16]

def b16_decode(enc):
    """Converts base-16 encoded text back to plaintext"""
    dec = ""
    for i in range(0, len(enc), 2):
        # Get two characters from the encoded message
        c1 = ALPHABET.index(enc[i])
        c2 = ALPHABET.index(enc[i + 1])
        
        # Combine the two 4-bit values back into 8 bits
        byte_value = (c1 << 4) + c2
        
        # Convert back to ASCII character
        dec += chr(byte_value)
    return dec

def unshift(c, k):
    """Reverses the shift operation"""
    t1 = ord(c) - LOWERCASE_OFFSET
    t2 = ord(k) - LOWERCASE_OFFSET
    # Subtract instead of add, and use modulo to handle negative numbers
    return ALPHABET[(t1 - t2) % len(ALPHABET)]

def decrypt(ciphertext, key):
    dec = ""
    for i, c in enumerate(ciphertext):
        # Reverse the shift
        dec += unshift(c, key[i % len(key)])
    return b16_decode(dec)

# The encrypted message from the challenge
encrypted = "fegdeogdgecoeocgcgchcfcffccfca"

# Try all 16 possible keys (a through p)
for key_char in ALPHABET:
    try:
        result = decrypt(encrypted, key_char)
        print(f"Key: {key_char} â†’  picoCTF{{{result}}}")
    except:
        print(f"Key: {key_char} â†’ Invalid result")

Output

Most will produce unreadable gibberish, but one will show readable text that makes sense :

$ python solve.py
Key: a â†’ picoCTF{TcNcd.N&&'%%R% }
Key: b â†’ picoCTF{CR=RS=A}
Key: c â†’ picoCTF{2A,AB,0}
Key: d â†’ picoCTF{!01Ã»Ã³Ã´Ã²Ã²/Ã²Ã½}
Key: e â†’ picoCTF{/Ãª Ã¢Ã¢Ã£Ã¡Ã¡Ã¡Ã¬}
Key: f â†’ picoCTF{Ã¹Ã™Ã¹Ã‘Ã‘Ã’ÃÃ ÃˆÃ¨Ã€Ã€ÃÃÃÃ¼ÃÃŠ}
Key: g â†’ picoCTF{Ã¾Ã½ÃÃ½Ã¾Â¿ÃÃ§Ã§Â¿Â¾Â¾ÃªÂ¾Â¹}
Key: h â†’ picoCTF{ÃÃ¼Ã, Ã¼Ã½Â·Ã, Â¿Â¿Â°Â¾Â¾Ã«Â¾Â¹}
Key: i â†’ picoCTF{ÃœÃ«Ã†Ã«Ã¬Â¦Ã†Â®Â®Â¯ÂÂÃšÂÂ¨}
Key: j â†’ picoCTF{Ã‹ÃšÂµÃšÃ›ÂµÃ‰}
Key: k â†’ picoCTF{ÂºÃ‰Â¤Ã‰ÃŠÂ¤Â¸}
Key: l â†’ picoCTF{Â©Â¸Â¸Â¹s{{|zzÂ§zu}
Key: m â†’ picoCTF{Â§Â§Â¨bjjkiiid}
Key: n â†’ picoCTF{qQqYYZXXXS}
Key: o â†’ picoCTF{v`@`HHIGGtGB}
Key: p â†’ picoCTF{et_tu_77866c61}

Finding the Correct Flag

Looking at all 16 results, only one contains readable words and valid characters:

~~picoCTF{et_tu_77866c61}~~

:::note[âš¡ Raikiri] 🎉 Flag pwned! :::

:::note[💡 TL;DR / Lesson Learned] âœ… Base-16 encoding converts data using only 16 symbols (0-15, represented as a-p)
âœ… Single-character keys are extremely weak - only 16 possibilities to brute-force
âœ… Combining two weak ciphers doesn't create strong encryption - both layers must be broken
âœ… Always read the code for clues - the assert statements revealed the key length was just 1
âœ… Brute-force is valid when key space is small - with 16 possibilities, trying them all is practical
âœ… Look for readable output - the correct flag stands out from gibberish immediately :::

🔐 PicoGym - spelling-quiz

Tue, 16 Dec 2025 00:00:00 GMT

<a href="/files/PicoGym/Cryptography/spelling-quiz/public.zip" download>📂 Download challenge file.</a>

Description: I found the flag, but my brother wrote a program to encrypt all his text files. He has a spelling quiz study guide too, but I don't know if that helps.
Difficulty: Medium
Author: BrownieInMotion

Summary

It's an encryption of all text files using a substitution cipher. We have three things to work with: the encryption program, an encrypted flag, and an encrypted spelling quiz study guide. The key advantage is that the study guide and flag were encrypted using the same cipher key. By analyzing the encrypted study guide with frequency analysis, we can discover the substitution mapping and decrypt the hidden flag.

Analysis

Challenge Files

The challenge provides a public.zip file containing three items:

encrypt.py         → The encryption program
flag.txt           → The encrypted flag
study-guide.txt    → Encrypted spelling quiz words

The Encrypted Flag

Looking at the encrypted flag:

$ cat flag.txt
brcfxba_vfr_mid_hosbrm_iprc_exa_hoav_vwcrm

This looks like random letters - but it's actually a substitution cipher.

Understanding the Encryption

Here's the encryption program:

import random
import os

files = [
    os.path.join(path, file)
    for path, dirs, files in os.walk('.')
    for file in files
    if file.split('.')[-1] == 'txt'
]

alphabet = list('abcdefghijklmnopqrstuvwxyz')
random.shuffle(shuffled := alphabet[:])
dictionary = dict(zip(alphabet, shuffled))

for filename in files:
    text = open(filename, 'r').read()
    encrypted = ''.join([
        dictionary[c]
        if c in dictionary else c
        for c in text
    ])
    open(filename, 'w').write(encrypted)

What this does:

Finds all .txt files in the directory
Creates a shuffled alphabet (randomized order)
Creates a dictionary mapping original letters to shuffled letters
For each file, replaces every letter using the dictionary
Saves the encrypted text back to the file

Key insight: The same shuffled alphabet is used to encrypt ALL files, including the study guide and flag!

The Study Guide

The encrypted study guide contains words from a spelling quiz:

$ head study-guide.txt
gocnfwnwtr
sxlyrxaic
dcrrtfrxcv
uxbvwavcq
lwvicwtiwm
pwtmwnxvicq
avingciisa
ylwtmrcawx
mwaxdcrrxuwlwvq
yciflwnf

Identifying the Cipher Type

Using cipher identification tools like dcode.fr, these encrypted words are strongly identified as Monoalphabetic Substitution.

Solution

How Frequency Analysis Works

In English, certain letters appear more frequently than others:

'e' appears most often (~12.7%)
't', 'a', 'o', 'i' are also very common
'z', 'q', 'x' are rare

If we encrypt English text, the most common encrypted letter should correspond to 'e', the second most common to 't', etc.

Cracking the Cipher

Use frequency analysis tools on the encrypted texts
Upload to dcode.fr Monoalphabetic Substitution
Feed it the encrypted study guide - the tool analyzes letter frequencies
The tool outputs the original alphabet mapping
Use the mapping to decrypt the flag

Results

After running frequency analysis on the encrypted study guide and flag:

The decrypted flag:

PERHAPS_THE_DOG_JUMPED_OVER_WAS_JUST_TIRED

:::note[⚡ Raikiri] 🎉 Flag pwned! :::

Wrap it as: picoCTF{PERHAPS_THE_DOG_JUMPED_OVER_WAS_JUST_TIRED}

:::note[💡 TL;DR / Lesson Learned] ✅ Substitution Cipher - Each letter maps to exactly one other letter
✅ Monoalphabetic - The mapping never changes (unlike polyalphabetic ciphers)
✅ Frequency Analysis - Using letter frequency patterns to break encryption
✅ Ciphertext-only attack - We don't need the key, just encrypted text and patterns
✅ Using known plaintext - The spelling quiz study guide is likely real English words!
:::

🔐 PicoGym - Pixelated

Mon, 15 Dec 2025 00:00:00 GMT

<a href="/files/PicoGym/Cryptography/Pixelated/scrambled1.png" download>📂 Download challenge file 1.</a>
<a href="/files/PicoGym/Cryptography/Pixelated/scrambled2.png" download>📂 Download challenge file 2.</a>

Description: I have these 2 images, can you make a flag out of them?
Difficulty: Medium
Author: Sara

Summary

In this challenge, we're given two scrambled PNG images and need to combine them to reveal a hidden flag. This is an example of visual cryptography, where secret information is hidden across multiple images. Each image alone shows only random noise, but when you overlay them together correctly, the hidden message appears!

Think of it like two transparent sheets with random dots - when you stack them on top of each other, the dots align to form letters.

Analysis

We are given 2 scrambled PNG files:

$ file scrambled1.png
scrambled1.png: PNG image data, 256 x 256, 8-bit/color RGB, non-interlaced

$ file scrambled2.png
scrambled2.png: PNG image data, 256 x 256, 8-bit/color RGB, non-interlaced

Both are 256×256 pixel PNG images in RGB color format and individually, they contain no readable information.

Visual Cryptography Explained

Visual cryptography is a special encryption method where:

A secret message is split across multiple images
Each image alone looks like random noise or garbage
When you overlay (stack) the images together, the secret message becomes visible to the human eye
No complex math or computer decryption is needed!

Imagine you have a secret message. Instead of encrypting it with math, you break it down into pixel patterns across multiple transparent sheets. When someone places all sheets on top of each other and holds them up to the light, the message appears!

The images

When we look at the two images, they appear to be completely random:

scrambled1.png - looks like random noise/static
scrambled2.png - looks like random noise/static

But when combined correctly, they reveal the hidden message!

Solution

Step 1: Understanding how to combine the images

When combining two noisy images that contain a hidden message:

The random noise in each image is different and unpredictable
The hidden message is encoded in BOTH images at the same locations
When we add the pixel values together, the message pixels become much brighter (because they're bright in both images)
The random noise stays relatively dark (because it's different in each image)

Think of it this way: if both images have a white pixel in the same spot, adding them together gives an even brighter white. But if only one image has noise at a location, adding them gives a medium gray.

Step 2: Solution

We load both images, convert them into arrays, and add their pixel values together.

Here's the Python solution:

from PIL import Image
import numpy as np

# Load both images
img1 = Image.open('scrambled1.png')
img2 = Image.open('scrambled2.png')

# Convert to numpy arrays (keeps RGB format)
array1 = np.asarray(img1)
array2 = np.asarray(img2)

# Add the two images together
# Where both have bright pixels (the message), result is very bright
# Where they differ (noise), result is medium brightness
result = np.add(array1, array2)

# Convert back to PIL Image
result_img = Image.fromarray(result, mode="RGB")

# Display and save the result
result_img.show()
result_img.save('flag.png')

Step 3: Read the flag

After running the script, the hidden text appears in the generated flag.png file:

Flag: ~~picoCTF{8cdf93c3}~~

:::note[⚡ Raikiri] 🎉 Flag pwned! :::

:::note[💡 TL;DR / Lesson Learned]

Each image alone is useless, the secret only appears when both are combined
Pixel addition is enough; no complex math or encryption is needed
Bright pixels in both images reinforce each other
Visual cryptography relies on human vision, not cryptographic algorithms
This challenge is about observation and image processing, not math :::

🔐 PicoGym - basic-mod2

Mon, 15 Dec 2025 00:00:00 GMT

<a href="/files/PicoGym/Cryptography/basic-mod2/message.txt" download>📂 Download challenge file.</a>

Description: A new modular challenge! Take each number mod 41 and find the modular inverse for the result. Then map to the following character set: 1-26 are the alphabet, 27-36 are the decimal digits, and 37 is an underscore. Wrap your decrypted message in the picoCTF flag format (i.e. picoCTF{decrypted_message})
Difficulty: Medium
Author: Will Hong

Summary

In this challenge, we decrypt a message by performing modular arithmetic operations. Each number must be reduced modulo 41, then we find its modular multiplicative inverse. The resulting values are mapped to a custom character set where 1-26 represent letters A-Z, 27-36 represent digits 0-9, and 37 represents an underscore.

Analysis

We are provided with a file named message.txt:

$ file message.txt 
message.txt: ASCII text, with no line terminators

Its content:

$ cat message.txt 
104 372 110 436 262 173 354 393 351 297 241 86 262 359 256 441 124 154 165 165 219 288 42

So according to the challenge description, we need to:

Take each number mod 41
Find the modular inverse for the result
Then map to the following character set: 1-26 are the alphabet, 27-36 are the decimal digits, and 37 is an underscore.

What Does “mod 41” Mean?

Taking a number mod 41 means:

Divide the number by 41 and keep the remainder

Examples:

104 mod 41 = 22
372 mod 41 = 3
110 mod 41 = 28

This reduces all large numbers into a small range between 0 and 40.

What is Modular Inverse?

The modular inverse of a number answers this question:

:::note[] “What number do I multiply by this value to get 1 (mod 41)?" :::

Mathematically, it is written as:

a⋅x≡1(mod41)

This means:

Multiply a by x
Take the result mod 41
If the answer is 1, then x is the modular inverse of a

:::note[] You can think of a modular inverse as the undo button for multiplication (when working modulo 41). :::

Example

The modular inverse of 3 mod 11 is 4, because:

3×4=12≡1(mod11)

Why inverses always exist here

41 is a prime number
This means every number from 1 to 40 has a modular inverse modulo 41
So we are guaranteed that an inverse exists (except when the value is 0)

Character Mapping

After finding the modular inverse, we convert it into a character using this mapping:

1-26: A-Z (alphabet)
27-36: 0-9 (digits)
37: _ (underscore)

Solution

Implementing the decryption

Here's the Python solution:

def decrypt_basic_mod2(ciphertext):
    # Character mapping
    # 1-26: a-z, 27-36: 0-9, 37: _
    char_map = {
        1: 'a', 2: 'b', 3: 'c', 4: 'd', 5: 'e', 6: 'f', 7: 'g', 8: 'h', 9: 'i', 10: 'j',
        11: 'k', 12: 'l', 13: 'm', 14: 'n', 15: 'o', 16: 'p', 17: 'q', 18: 'r', 19: 's', 20: 't',
        21: 'u', 22: 'v', 23: 'w', 24: 'x', 25: 'y', 26: 'z',
        27: '0', 28: '1', 29: '2', 30: '3', 31: '4', 32: '5', 33: '6', 34: '7', 35: '8', 36: '9',
        37: '_'
    }
    
    plaintext = []
    
    for num in ciphertext:
        # Step 1: Take mod 41
        mod_result = num % 41
        
        # we use Python 3.8+ built-in: pow(a, -1, 41)
        if mod_result == 0:
            # Edge case: if mod_result is 0, there's no inverse
            continue
        
        inverse = pow(mod_result, -1, 41)
        
        # Step 3: Map to character
        if inverse in char_map:
            plaintext.append(char_map[inverse])
    
    return ''.join(plaintext)

# Parse the ciphertext
ciphertext = [104, 372, 110, 436, 262, 173, 354, 393, 351, 297, 241, 86, 262, 359, 256, 441, 124, 154, 165, 165, 219, 288, 42]

# Decrypt
message = decrypt_basic_mod2(ciphertext)
print(f"Decrypted message: {message}")
print(f"Flag: picoCTF{{{message}}}")

Running the solution

The decrypted message is:

1nv3r53ly_h4rd_dadaacaa

:::note[⚡ Raikiri] 🎉 Flag pwned! :::

$ python solve.py
Decrypted message: 1nv3r53ly_h4rd_dadaacaa
Flag: picoCTF{1nv3r53ly_h4rd_dadaacaa}

Flag: ~~picoCTF{br1nv3r53ly_h4rd_dadaacaa}~~

:::note[💡 TL;DR / Lesson Learned]

Modular inverse: Understanding that the modular multiplicative inverse is the key operation for decryption. Since 41 is prime, every non-zero number has an inverse.
Character mapping: The custom alphabet (1-26 = a-z, 27-36 = 0-9, 37 = _) is crucial for converting the numeric result back to characters.
Modular arithmetic: Taking mod 41 first reduces large numbers to a manageable range (0-40), making the inverse operation efficient.
Python's pow() function: The three-argument pow(a, -1, m) efficiently computes modular inverses (available in Python 3.8+), making the solution elegant and fast. :::

🔐 PicoGym - transposition-trial

Sun, 14 Dec 2025 00:00:00 GMT

<a href="/files/PicoGym/Cryptography/transposition-trial/message.txt" download>📂 Download challenge file.</a>

Description: Our data got corrupted on the way here. Luckily, nothing got replaced, but every block of 3 got scrambled around! The first word seems to be three letters long, maybe you can use that to recover the rest of the message.
Difficulty: Medium
Author: Will Hong

Summary

In this challenge, we are given a corrupted message where every group of three characters has been scrambled, but no characters were lost or replaced. By leveraging the hint that the first word is three letters long, we can identify the scrambling pattern and apply it consistently across the entire ciphertext to recover the flag.

This is a classic block transposition cipher.

Analysis

We are provided with a file named message.txt:

$ file message.txt 
message.txt: ASCII text, with no line terminators

Its content:

$ cat message.txt 
heTfl g as iicpCTo{7F4NRP051N5_16_35P3X51N3_V091B0AE}2

The challenge name (transposition-trial) and the description strongly suggest a transposition cipher, where characters are rearranged but not modified.

To confirm, we can use dCode’s Cipher Identifier.

Yep, I was right, it's Transposition Cipher.

What is Transposition Cipher?

A transposition cipher encrypts a message by rearranging the order of characters according to a fixed pattern or key, without changing the characters themselves.
Key properties:

No substitution occurs
Character frequency remains the same
Decryption requires discovering the correct permutation

Encryption

In this challenge, the permutation is applied per block of 3 characters. The plaintext is divided into blocks of 3 characters, and each block is scrambled according to a fixed pattern.

For example, if we have a block abc and the pattern is a specific permutation, the encrypted block might be cab or bac depending on the pattern used.

Decryption

To decrypt, we need to:

Identify the correct permutation pattern used for scrambling
Reverse that pattern (apply the inverse permutation) to each block of 3 characters
Concatenate the decrypted blocks to recover the plaintext

The hint tells us the first word is three letters long, which is likely "The". This gives us a known plaintext-ciphertext pair:

Ciphertext: heT
Plaintext: The

From this, we can determine the permutation pattern.

Solution

Step 1: Determine the permutation pattern

The first block heT should decrypt to The. Let's map the positions:

The plaintext is The, encrypted as heT. To encrypt:

T (index 0) → position 2 (becomes T at the end)
h (index 1) → position 0 (becomes h at the start)
e (index 2) → position 1 (becomes e in middle)

So the encryption pattern is: [1, 2, 0] (take char at 1, then 2, then 0 of original)

To decrypt, we need the inverse permutation. If encryption uses pattern [1, 2, 0], decryption uses [2, 0, 1]:

Encrypted position 0 → goes to plaintext position 2
Encrypted position 1 → goes to plaintext position 0
Encrypted position 2 → goes to plaintext position 1

Step 2: Implement the decryption

Let's verify with the first block heT:

Apply pattern [2, 0, 1]:
- [2]: heT[2] = T → position 0
- [0]: heT[0] = h → position 1
- [1]: heT[1] = e → position 2
- Result: The ✓

Here's a Python solution:

ciphertext = "heTfl g as iicpCTo{7F4NRP051N5_16_35P3X51N3_V091B0AE}2"

# inverse permutation of [1, 2, 0]
perm = [2, 0, 1]

plaintext = ""

for i in range(0, len(ciphertext), 3):
    block = ciphertext[i:i+3]
    if len(block) == 3:
        plaintext += ''.join(block[p] for p in perm)
    else:
        plaintext += block  # handle leftover chars if any

print(plaintext)

Step 3: Decrypt the entire message

Running the decryption function on the ciphertext :

~~picoCTF{7R4N5P051N6_15_3XP3N51V3_109AB02E}~~

:::note[⚡ Raikiri] 🎉 Flag pwned! :::

$ python solve.py
The flag is picoCTF{7R4N5P051N6_15_3XP3N51V3_109AB02E}

:::note[💡 TL;DR / Lesson Learned]

Known plaintext attack: The hint that the first word is three letters (likely "The") was crucial for determining the permutation pattern.
Block transposition with fixed pattern: Once we identified the pattern from one block, we could apply it consistently to all other blocks.
No character substitution: This confirms it's purely a transposition, not a substitution cipher - all characters remain unchanged, just reordered within each 3-character block.
Inverse permutation: To decrypt, we need to apply the mathematical inverse of the encryption permutation to reverse the scrambling. :::

🔐 PicoGym - substitution1

Tue, 09 Dec 2025 00:00:00 GMT

<a href="/files/PicoGym/Cryptography/substitution1/message.txt" download>📂 Download challenge file.</a>

Description: A second message has come in the mail, and it seems almost identical to the first one. Maybe the same thing will work again. Difficulty: Medium
Author: Will Hong

Summary

This challenge presents another ciphertext that appears very similar to substitution2, suggesting that the same underlying technique, monoalphabetic substitution, is once again the solution. Even though the message is compact and lacks punctuation, classical substitution analysis still works perfectly.

Analysis

We are given the file message.txt :

$ file message.txt 
message.txt: ASCII text, with very long lines (638), with no line terminators

And its content :

ZWDg (gejfw djf zacwpfx wex dqar) afx a wscx jd zjicpwxf gxzpfbws zjicxwbwbjv. Zjvwxgwavwg afx cfxgxvwxm hbwe a gxw jd zeaqqxvrxg hebze wxgw wexbf zfxawbybws, wxzevbzaq (avm rjjrqbvr) gnbqqg, avm cfjtqxi-gjqybvr atbqbws. Zeaqqxvrxg pgpaqqs zjyxf a vpitxf jd zawxrjfbxg, avm hexv gjqyxm, xaze sbxqmg a gwfbvr (zaqqxm a dqar) hebze bg gptibwwxm wj av jvqbvx gzjfbvr gxfybzx. ZWDg afx a rfxaw has wj qxafv a hbmx affas jd zjicpwxf gxzpfbws gnbqqg bv a gadx, qxraq xvybfjvixvw, avm afx ejgwxm avm cqasxm ts iavs gxzpfbws rfjpcg afjpvm wex hjfqm djf dpv avm cfazwbzx. 
Djf webg cfjtqxi, wex dqar bg: cbzjZWD{DF3LP3VZS_4774ZN5_4F3_Z001_4871X6DT}

The ciphertext is continuous text with no spacing, making it visually harder to read, but still vulnerable to frequency analysis.

Solution

To decode this efficiently, we load the ciphertext into: Mono-alphabetic Substitution

The tool performs frequency analysis and heuristic reconstruction to rebuild natural English from the continuous letter stream.

After processing, we obtain the fully decrypted plaintext:

CTFS (SHORT FOR CAPTURE THE FLAG) ARE A TYPE OF COMPUTER SECURITY COMPETITION. CONTESTANTS ARE PRESENTED WITH A SET OF CHALLENGES WHICH TEST THEIR CREATIVITY, TECHNICAL (AND GOOGLING) SKILLS, AND PROBLEM-SOLVING ABILITY. CHALLENGES USUALLY COVER A NUMBER OF CATEGORIES, AND WHEN SOLVED, EACH YIELDS A STRING (CALLED A FLAG) WHICH IS SUBMITTED TO AN ONLINE SCORING SERVICE. CTFS ARE A GREAT WAY TO LEARN A WIDE ARRAY OF COMPUTER SECURITY SKILLS IN A SAFE, LEGAL ENVIRONMENT, AND ARE HOSTED AND PLAYED BY MANY SECURITY GROUPS AROUND THE WORLD FOR FUN AND PRACTICE. 
FOR THIS PROBLEM, THE FLAG IS: PICOCTF{FR3QU3NCY_4774CK5_4R3_C001_4871E6FB}

From here, at the very end, we can see the flag already.

:::note[⚡ Raikiri] 🎉 Flag pwned! :::

Some substitution solvers occasionally mix up mappings when two letters have nearly identical frequency patterns. In this ciphertext, J and Q were swapped in the raw solver output, producing: ~~PICOCTF{FR3JU3NCY_4774CK5_4R3_C001_4871E6FB}~~

But logically, the correct flag is: ~~PICOCTF{FR3QU3NCY_4774CK5_4R3_C001_4871E6FB}~~

:::note[💡 TL;DR / Lesson Learned] Challenge uses a monoalphabetic substitution cipher.
Feed ciphertext into DCODE’s solver → plaintext recovers almost instantly.
Solver swapped J and Q, but context makes the correction obvious.
:::

🔐 PicoGym - Waves Over Lambda

Mon, 08 Dec 2025 00:00:00 GMT

Description: We made a lot of substitutions to encrypt this. Can you decrypt it Difficulty: Medium
Author: invisibility/Danny

Summary

This challenge provides a remote service that outputs a long ciphertext. The prompt hints that â€œa lot of substitutionsâ€ were used, strongly suggesting a monoalphabetic substitution cipher. The goal is to identify the substitution mapping and decrypt the full text to recover the flag.

Analysis

A netcat service is given : nc fickle-tempest.picoctf.net 56322 Connecting to it returns the following ciphertext:

$ nc fickle-tempest.picoctf.net 56322
-------------------------------------------------------------------------------
qnaixvsd rhxh od enux fcvi - fxhguhaqe_od_q_nphx_cvtmjv_f3ff3v4j
-------------------------------------------------------------------------------
mhswhha ud srhxh wvd, vd o rvph vcxhvje dvoj dnthwrhxh, srh mnaj nf srh dhv. mhdojhd rncjoai nux rhvxsd snihsrhx srxnuir cnai yhxonjd nf dhyvxvsona, os rvj srh hffhqs nf tvkoai ud snchxvas nf hvqr nsrhx'd evxadvaj hpha qnapoqsonad. srh cvwehxsrh mhds nf ncj fhccnwdrvj, mhqvudh nf rod tvae ehvxd vaj tvae poxsuhd, srh nace qudrona na jhqk, vaj wvd ceoai na srh nace xui. srh vqqnuasvas rvj mxnuirs nus vcxhvje v mnb nf jntoanhd, vaj wvd sneoai vxqroshqsuxvcce wosr srh mnahd. tvxcnw dvs qxndd-chiihj xoirs vfs, chvaoai vivoads srh tozzha-tvds. rh rvj duakha qrhhkd, v ehccnw qntychbona, v dsxvoirs mvqk, va vdqhsoq vdyhqs, vaj, wosr rod vxtd jxnyyhj, 
srh yvctd nf rvajd nuswvxjd, xhdhtmchj va ojnc. srh joxhqsnx, dvsodfohj srh vaqrnx rvj innj rncj, tvjh rod wve vfs vaj dvs jnwa vtnaids ud. wh hbqrvaihj v fhw wnxjd cvzoce. vfshxwvxjd srhxh wvd dochaqh na mnvxj srh evqrs. fnx dnth xhvdna nx nsrhx wh joj ans mhioa srvs ivth nf jntoanhd. wh fhcs thjosvsoph, vaj fos fnx ansroai mus ycvqoj dsvxoai. srh jve wvd hajoai oa v dhxhaose nf dsocc vaj hbguodosh mxoccovaqh. srh wvshx drnah yvqofoqvcce; srh dke, wosrnus v dyhqk, wvd v mhaoia otthadose nf uadsvoahj coirs; srh phxe tods na srh hddhb tvxdr wvd cokh v ivuze vaj xvjovas fvmxoq, ruai fxnt srh wnnjhj xodhd oacvaj, vaj jxvyoai srh cnw drnxhd oa jovyrvanud fncjd. nace srh icnnt sn srh whds, mxnnjoai nphx srh uyyhx xhvqrhd, mhqvth tnxh dntmxh hphxe toaush, vd of vaihxhj me srh vyyxnvqr nf srh dua.

Based on the challenge description, it seems that they made a lot of substutions and this points to susitution cipher.

Solution

To assist in solving, we can load the ciphertext into a tool such as: Mono-alphabetic Substitution

This tool uses frequency analysis and heuristics to predict the English plaintext.

From this, we got :

------------------------------------------------------------------------------- 
CONGRATS HERE IS YOUR FLAG - FREQUENCY_IS_C_OVER_LAMBDA_F3FF3A4D 
------------------------------------------------------------------------------- 
BETWEEN US THERE WAS, AS I HAVE ALREADY SAID SOMEWHERE, THE BOND OF THE SEA. BESIDES HOLDING OUR HEARTS TOGETHER THROUGH LONG PERIODS OF SEPARATION, IT HAD THE EFFECT OF MAKING US TOLERANT OF EACH OTHER'S YARNSAND EVEN CONVICTIONS. THE LAWYERTHE BEST OF OLD FELLOWSHAD, BECAUSE OF HIS MANY YEARS AND MANY VIRTUES, THE ONLY CUSHION ON DECK, AND WAS LYING ON THE ONLY RUG. THE ACCOUNTANT HAD BROUGHT OUT ALREADY A BOX OF DOMINOES, AND WAS TOYING ARCHITECTURALLY WITH THE BONES. MARLOW SAT CROSS-LEGGED RIGHT AFT, LEANING AGAINST THE MIZZEN-MAST. HE HAD SUNKEN CHEEKS, A YELLOW COMPLEXION, A STRAIGHT BACK, AN ASCETIC ASPECT, AND, WITH HIS ARMS DROPPED, THE PALMS OF HANDS OUTWARDS, RESEMBLED AN IDOL. THE DIRECTOR, SATISFIED THE ANCHOR HAD GOOD HOLD, MADE HIS WAY AFT AND SAT DOWN AMONGST US. WE EXCHANGED A FEW WORDS LAZILY. AFTERWARDS THERE WAS SILENCE ON BOARD THE YACHT. FOR SOME REASON OR OTHER WE DID NOT BEGIN THAT GAME OF DOMINOES. WE FELT MEDITATIVE, AND FIT FOR NOTHING BUT PLACID STARING. THE DAY WAS ENDING IN A SERENITY OF STILL AND EXQUISITE BRILLIANCE. THE WATER SHONE PACIFICALLY; THE SKY, WITHOUT A SPECK, WAS A BENIGN IMMENSITY OF UNSTAINED LIGHT; THE VERY MIST ON THE ESSEX MARSH WAS LIKE A GAUZY AND RADIANT FABRIC, HUNG FROM THE WOODED RISES INLAND, AND DRAPING THE LOW SHORES IN DIAPHANOUS FOLDS. ONLY THE GLOOM TO THE WEST, BROODING OVER THE UPPER REACHES, BECAME MORE SOMBRE EVERY MINUTE, AS IF ANGERED BY THE APPROACH OF THE SUN.

From this decryption, we can also extract the substitution mapping used in the challenge:

â‡’ VMQJHFIROLKCTANYGXDSUPWBEZ (Original Encryption Alphabet)
â‡’ NXLSYFQEGDKJBOIVCHTMUAWRPZ (Reciprocal â‡… Decryption Alphabet)

This mapping illustrates how each ciphertext letter was substituted to produce the readable plaintext.

:::note[âš¡ Raikiri] 🎉 Flag pwned! :::

FREQUENCY_IS_C_OVER_LAMBDA_F3FF3A4D

:::note[💡 TL;DR / Lesson Learned] Challenge gives a long ciphertext via netcat.
Hint suggests substitution cipher â†’ use monoalphabetic solver.
Paste ciphertext into DCODE â†’ instantly recovers readable English and flag. :::

🔐 PicoGym - substitution2

Mon, 08 Dec 2025 00:00:00 GMT

<a href="/files/PicoGym/Cryptography/substitution2/message.txt" download>📂 Download challenge file.</a>

Description: It seems that another encrypted message has been intercepted. The encryptor seems to have learned their lesson though and now there isn't any punctuation! Can you still crack the cipher?
Difficulty: Medium
Author: Will Hong

Summary

This challenge provides a long ciphertext with no spacing or punctuation, making frequency analysis slightly harder than usual. Since the title is substitution2, this strongly suggests another monoalphabetic substitution cipher, just without word boundaries. By leveraging automated tools and frequency patterns, we can still recover the plaintext and extract the flag hidden at the end.

Analysis

We are given the file message.txt :

$ file message.txt 
message.txt: ASCII text, with very long lines (1288), with no line terminators

And its content is a massive block of text with no spaces and no punctuation:

fnjdjjzqsfsjpjdxwmfnjdcjwwjsfxhwqsnjynqensknmmwkmuvafjdsjkadqftkmuvjfqfqmgsqgkwayqgekthjdvxfdqmfxgyaskthjdknxwwjgejfnjsjkmuvjfqfqmgslmkasvdquxdqwtmgstsfjusxyuqgqsfdxfqmglagyxujgfxwscnqknxdjpjdtasjlawxgyuxdojfxhwjsoqwwsnmcjpjdcjhjwqjpjfnjvdmvjdvadvmsjmlxnqensknmmwkmuvafjdsjkadqftkmuvjfqfqmgqsgmfmgwtfmfjxknpxwaxhwjsoqwwshafxwsmfmejfsfayjgfsqgfjdjsfjyqgxgyjzkqfjyxhmafkmuvafjdskqjgkjyjljgsqpjkmuvjfqfqmgsxdjmlfjgwxhmdqmasxllxqdsxgykmujymcgfmdaggqgeknjkowqsfsxgyjzjkafqgekmglqeskdqvfsmlljgsjmgfnjmfnjdnxgyqsnjxpqwtlmkasjymgjzvwmdxfqmgxgyquvdmpqsxfqmgxgymlfjgnxsjwjujgfsmlvwxtcjhjwqjpjxkmuvjfqfqmgfmaknqgemgfnjmlljgsqpjjwjujgfsmlkmuvafjdsjkadqftqsfnjdjlmdjxhjffjdpjnqkwjlmdfjknjpxgejwqsufmsfayjgfsqgxujdqkxgnqensknmmwsladfnjdcjhjwqjpjfnxfxgagyjdsfxgyqgemlmlljgsqpjfjkngqiajsqsjssjgfqxwlmdumagfqgexgjlljkfqpjyjljgsjxgyfnxffnjfmmwsxgykmglqeadxfqmglmkasjgkmagfjdjyqgyjljgsqpjkmuvjfqfqmgsymjsgmfwjxysfayjgfsfmogmcfnjqdjgjutxsjlljkfqpjwtxsfjxknqgefnjufmxkfqpjwtfnqgowqojxgxffxkojdvqkmkflqsxgmlljgsqpjwtmdqjgfjynqensknmmwkmuvafjdsjkadqftkmuvjfqfqmgfnxfsjjosfmejgjdxfjqgfjdjsfqgkmuvafjdskqjgkjxumgenqensknmmwjdsfjxknqgefnjujgmaenxhmafkmuvafjdsjkadqftfmvqiajfnjqdkadqmsqftumfqpxfqgefnjufmjzvwmdjmgfnjqdmcgxgyjgxhwqgefnjufmhjffjdyjljgyfnjqduxknqgjsfnjlwxeqsvqkmKFL{G6D4U_4G41T515_15_73Y10A5_42JX1770}

The absence of whitespace is deliberate: it makes pattern spotting harder, but it’s still just a substitution cipher, as implied by the challenge title.

Solution

To decode this efficiently, we load the ciphertext into: Mono-alphabetic Substitution

The tool performs frequency analysis and heuristic reconstruction to rebuild natural English from the continuous letter stream.

After processing, we obtain the fully decrypted plaintext:

THEREEXISTSEVERALOTHERWELLESTABLISHEDHIGHSCHOOLCOMPUTERSECURITYCOMPETITIONSINCLUDINGCYBERPATRIOTANDUSCYBERCHALLENGETHESECOMPETITIONSFOCUSPRIMARILYONSYSTEMSADMINISTRATIONFUNDAMENTALSWHICHAREVERYUSEFULANDMARKETABLESKILLSHOWEVERWEBELIEVETHEPROPERPURPOSEOFAHIGHSCHOOLCOMPUTERSECURITYCOMPETITIONISNOTONLYTOTEACHVALUABLESKILLSBUTALSOTOGETSTUDENTSINTERESTEDINANDEXCITEDABOUTCOMPUTERSCIENCEDEFENSIVECOMPETITIONSAREOFTENLABORIOUSAFFAIRSANDCOMEDOWNTORUNNINGCHECKLISTSANDEXECUTINGCONFIGSCRIPTSOFFENSEONTHEOTHERHANDISHEAVILYFOCUSEDONEXPLORATIONANDIMPROVISATIONANDOFTENHASELEMENTSOFPLAYWEBELIEVEACOMPETITIONTOUCHINGONTHEOFFENSIVEELEMENTSOFCOMPUTERSECURITYISTHEREFOREABETTERVEHICLEFORTECHEVANGELISMTOSTUDENTSINAMERICANHIGHSCHOOLSFURTHERWEBELIEVETHATANUNDERSTANDINGOFOFFENSIVETECHNIQUESISESSENTIALFORMOUNTINGANEFFECTIVEDEFENSEANDTHATTHETOOLSANDCONFIGURATIONFOCUSENCOUNTEREDINDEFENSIVECOMPETITIONSDOESNOTLEADSTUDENTSTOKNOWTHEIRENEMYASEFFECTIVELYASTEACHINGTHEMTOACTIVELYTHINKLIKEANATTACKERPICOCTFISANOFFENSIVELYORIENTEDHIGHSCHOOLCOMPUTERSECURITYCOMPETITIONTHATSEEKSTOGENERATEINTERESTINCOMPUTERSCIENCEAMONGHIGHSCHOOLERSTEACHINGTHEMENOUGHABOUTCOMPUTERSECURITYTOPIQUETHEIRCURIOSITYMOTIVATINGTHEMTOEXPLOREONTHEIROWNANDENABLINGTHEMTOBETTERDEFENDTHEIRMACHINES
THEFLAGISPICOCTF{N6R4M_4N41Y515_15_73D10U5_42EA1770}

From here, at the very end, we can see the flag already.

:::note[⚡ Raikiri] 🎉 Flag pwned! :::

THE FLAG IS ~~PICOCTF{N6R4M_4N41Y515_15_73D10U5_42EA1770}~~

:::note[💡 TL;DR / Lesson Learned] The file contains a giant block of text encrypted via monoalphabetic substitution.
Removing punctuation and spaces increases difficulty slightly but doesn’t change the cipher.
Feeding the ciphertext into DCODE's substitution solver reconstructs readable English.
Even when obfuscated with no word boundaries, substitution ciphers crumble under frequency analysis. :::

🔐 PicoGym - credstuff

Tue, 25 Nov 2025 00:00:00 GMT

<a href="/files/PicoGym/Cryptography/credstuff/leak.tar" download>📂 Download challenge file.</a>

Description: We found a leak of a blackmarket website's login credentials. Can you find the password of the user cultiris and successfully decrypt it? The first user in usernames.txt corresponds to the first password in passwords.txt. The second user corresponds to the second password, and so on.
Difficulty: Medium
Author: Will Hong / LT 'syreal' Jones

Summary

This challenge provides a leaked archive containing two files: a list of usernames and a list of passwords. Each username corresponds directly to the password on the same line number. The goal is to locate the user cultiris, find their associated password, and then decrypt it to obtain the flag.

Analysis

We are given a tar archive named leak.tar:

$ file leak.tar 
leak.tar: POSIX tar archive (GNU)

A quick reminder: tar (Tape ARchive) is a Linux utility used for packaging multiple files into a single archive. It’s commonly used for backups, data transfer, and compressing directory structures. Extracting it will reveal the files inside.

Let's untar it

Let's extract the archive:

$ tar -xvf leak.tar
leak/
leak/passwords.txt
leak/usernames.txt

Step 1, View the leaked usernames

$ cat usernames.txt
engineerrissoles
icebunt
fruitfultry
celebritypentathlon
galoshesopinion
favorboeing
bindingcouch
entersalad
ruthlessconfidence
coupleelevator
remotesword
researchfall
alertborn
excitedcool
actressbogus
volcanicram
glassesspring
fixoutrigger
boozerfirework
therapistvigorous
withoutbelgian
treedon’t
healobligation
volunteerprofessor
tweedboilersuit
underwingpale
whirlmolar
crawlrake
sandpiperband
turbulentbrisk
strippedimminent
croakmuffler
netherrackdelay
harrascroak
leeryspiffy
mineshaftlevel
paragraphswarm
horizongrimacing
aheadmeek
grimacingstain
analysttooth
majoritygillette
droopyoatmeal
councilmonster
fencegreek
treaclerebel
kentishpartial
habitualregardless
overallglistening
cootnoise
victimscalloped
patienceyawl
depictnine
widoweveryone
survivalunlikely
clovestair
lardfacecrash
mewguitar
dellminer
croquetdroopy
drabparcel
platformcancel
sutehummus
fearlessherring
shypresident
deliverunsightly
swooshdelicious
resistancedistorted
...

Step 2, Count the usernames

There are many usernames, so let’s count them:

$ wc -l usernames.txt
505 usernames.txt

Step 3, View the leaked passwords

And I think it will be the same on the password.txt since line N of usernames.txt corresponds to line N of passwords.txt.

$ cat passwords.txt
CMPTmLrgfYCexGzJu6TbdGwZa
GK73YKE2XD2TEnvJeHRBdfpt2
UukmEk5NCPGUSfs5tGWPK26gG
kaL36YJtvZMdbTdLuQRx84t85
K9gzHFpwF2azPayAUSrcL8fJ9
rYrtRbkHvJzPmDwzD6gSDbAE3
kfcVXjcFkvNQQPpATErx6eVDd
kDrPVvMakUsNd7BvmJtK3ACY4
dvDvWjzXNk8WwqEzJ5P2FP5YH
86L5w4sH9ZXTCPAa5ExMSPFNh
qXFEg8ZasLxQhUYWnhTemgqxh
gd7panTqNpUvBXBxpGpcqP9X7
Y3KcHyg7kSf6RgX5THyjrw3g1
WkHQ78HaKgkcf8bHat9GbTJmj
LhY5mfRsaKjaueVhdeHqUrMKp
fcdy7jz9VmfPQcuHRnULJvwUf
fVsT4tJ5ahRUbBp4YEdVAvLtF
cLr6pyDpuvQyAda35CdcCsSgk
mkY39jWhLQAABWNg7GQQCqhr9
JPTeqgHpbTYra2jXn7KLvNXt1
BskbdvkHv8Dv9NAgRHJ3uwDG0
hD795qgYzpbhXGSYadJRJpRGB
WLVn9cV4NL7kZ2WCagP8jV2Gc
XccQXznLtdWbs6ga24tMEXNfe
kw6zFzfZvEGk6fxrMNQYUXeXh
XgqXaMhG65X4aP6GqadBAYKfs
fHfNeGsefznBCnpPvKxVk6au1
nb6ErH5LkVNyAD4mggFtdyVqn
J4jyAn9apZSERG52NHsAZPkTJ
MxFFeMG8GYpqTuFjBgeEZYyMx
HrrWkXXrTmmnyTWbSkMp9Ex5R
TW9wgrcfu6Ts5g7B52h35rLv9
96HpneHwr2NkwQTGapdGJ2zHH
Kbm4VSy5AwC5GJqdB7LyBQjmB
nUVsKGwX3aQfQbaVCFJhEEevs
wtcfmPjPWFtKr2dsJ3xHJTsEf
fNadeE2VUsZhvrp9jtSwAHLEV
Bu2RE6MNb6m3fEAB7ybzKYubN
FWT6WftJ4DjZaQkTF8g7cfPHJ
eLb8JZbmgVkkg8Um3M3cgBSJm
rXYhx9zD7sDEwrvJDq24hBw6D
Q4zpdfMkAccQUFhGtWxtysKFk
cBZJ76hxZFrSfUdubQXvRbnKx
t8jgSfmGcSdk6xcP5mq5NAXBG
NSAx3BZ4spPGgsSddB6tcq974
ZrqGJCkPKMTgNJsnjM7ZsDewP
JzrVE3xzLHJwbug7YU4cAdRLz
xMUtE5ZXeddJmmQVp5te8eMwX
93tVFsU4FnhATXdk4TFgscyE4
wKhzpAM9bTYDLUpnvWwD3kJG9
mRuTNPuN3xNvyPb4XQqqXcteN
WSxghvfrLaUyJuuds9VPPC9Tr
MNmUBhP89UyF5Y35mG6vWbF98
QKMa8FVXBapTfdGukHHjbyBGX
UZhEA4bBB4Ygeqc22G69eSH5B
qLdf6j7XCbq5VVSkwjKdfj8gX
HhFzWEGRNeHPLwaGxFDedkznR
UnYbztbH2HxJHugn8cXCvsJ9H
9AaAGz4Q5seQBQquBJFgVUBWQ
z2NWxfQedMaaCp4ud4QePyyFe
....

Step 4, Count the passwords

As expected, the passwords file contains the same number of entries; I was right xD.

$ wc -l passwords.txt
505 passwords.txt

Solution

Now let's see if the username cultiris exist on usernames.txt using grep :

$ cat usernames.txt | grep "cultiris"
cultiris

Nice we have it here!

Now let's locate the target username cultiris:

$ grep -n "cultiris" usernames.txt
378:cultiris

Perfect, cultiris is on line 378.

I can search manually or by using this:

$ sed -n '378p' passwords.txt
cvpbPGS{P7e1S_54I35_71Z3}

This looks like a flag, but it’s clearly not decrypted yet. The structure strongly resembles ROT13.

To confirm, we check DCODE’s Cipher Identifier:

It detects ROT13, just as suspected.

We can use this ROT13 Decoder and this gives us the flag :

:::note[⚡ Raikiri] 🎉 Flag pwned! :::

Flag : ~~picoCTF{C7r1F_54V35_71M3}~~

:::note[💡 TL;DR / Lesson Learned] Extract the tar archive → two files: usernames & passwords.
Line numbers correspond exactly between both files.
Locate cultiris → line 378.
Retrieve password from passwords.txt line 378.
Decrypt the ROT13-encoded string → flag appears :::

🔐 PicoGym - morse-code

Mon, 24 Nov 2025 00:00:00 GMT

<a href="/files/PicoGym/Cryptography/morse-code/morse_chal.wav" download>📂 Download challenge file.</a>

Description: Morse code is well known. Can you decrypt this? Download the file here. Wrap your answer with picoCTF{}, put underscores in place of pauses, and use all lowercase.
Difficulty: Medium
Author: Will Hong

Summary

This challenge provides an audio recording containing Morse code beeps. The goal is to decode the audio into text.

Analysis

We are given an audio file named morse_chal.wav:

$ file morse_chal.wav 
morse_chal.wav: RIFF (little-endian) data, WAVE audio, Microsoft PCM, 16 bit, mono 44100 Hz

Since it's a WAV file, the next logical step is to listen to it, and immediately, it becomes clear that the audio consists of classic Morse code beeps.

To decode the Morse from audio, we can use any online audio Morse decoder. One reliable option is: https://morsecode.world/international/decoder/audio-decoder-adaptive.html

Upload the file and wait for the decoder to process the signal.

The decoder output gives us: WH47 H47H 90D W20U9H7

Now we need to replace the spaces with underscores and wrap it with the flag format: ~~picoCTF{WH47_H47H_90D_W20U9H7}~~

:::note[⚡ Raikiri] 🎉 Flag pwned! :::

:::note[💡 TL;DR / Lesson Learned] Audio Morse can be decoded easily using online adaptive decoders. :::

🔐 PicoGym - Tapping

Sun, 23 Nov 2025 00:00:00 GMT

Description: There's tapping coming in from the wires. Additional details will be available after launching your challenge instance.
Difficulty: Medium
Author: Danny

Summary

This challenge provides a message from a remote service. The message consists entirely of dots, dashes, and spacing, a strong indicator that it is encoded using Morse Code. The goal is to decode it and extract the flag.

Analysis

Since this is an instance-based challenge, we first connect to the service using nc:

$ nc fickle-tempest.picoctf.net 60330.
.--. .. -.-. --- -.-. - ..-. { -- ----- .-. ... ...-- -.-. ----- -.. ...-- .---- ... ..-. ..- -. ----- ....- ...-- .- ...-- ....- ..... ----- }

This is clearly Morse Code.

What is morse code?

Morse code is a method of encoding characters using sequences of short and long signals:

Short signal = dot (.)
Long signal = dash (-)

Each letter or number is represented by a specific sequence of dots and dashes. Example:

A = .-
Kakashi = -.- .- -.- .- ... .... ..

Spacing rules:

Each letter is separated by a space
Each word is separated by a slash / (or newline)

How to encrypt using Morse Code cipher?

To encrypt text:

Convert each letter into its dot/dash representation using the Morse table.
Separate characters with spaces.
Separate words using / or additional spacing.

Example: HELLO → .... . .-.. .-.. ---

The complete table of Morse Code is :

How to decrypt Morse Code cipher?

To decrypt:

Split the input by spaces.
Convert each dot/dash sequence back to its letter using the Morse table.
Join the letters to form words.

Tools such as CyberChef, DCode, or any Morse decoder can automate this process.

How to recognize Morse Code ciphertext?

Morse ciphertext is easy to spot:

Contains only dots, dashes, spaces, and sometimes slashes.
Often delivered as tapping, beeps, or light flashes.
In text-based CTFs → sequences like: .---- ..--- ...-- -.-. --- -.. .

Decrypting the Challenge Ciphertext

We paste the cipher into CyberChef using From Morse Code, which decodes it automatically:

Alternatively, here’s the manual breakdown:

--       0     .-.     ...--    -.-.     -----     -..     ...--     .----     ...     ..-.     ..-     -.     -----     ....-     ...--     .-     ...--     ....-     .....     -----
M        0      R        3        C        0         D        3         1        S        F        U       N       0        4         3        A        3        4         5         0

So the decoded message is:

M0R3C0D31SFUN043A3450

:::note[⚡ Raikiri] 🎉 Flag pwned! :::

Final Flag

The flag is ~~picoCTF{M0R3C0D31SFUN043A3450}~~

:::note[💡 TL;DR / Lesson Learned] Morse Code uses dots and dashes to represent characters. Spacing matters: space = new letter, slash = new word. Easy to decode using CyberChef or any online Morse decoder. :::

🔐 PicoGym - La Cifra De

Sun, 23 Nov 2025 00:00:00 GMT

Description: I found this cipher in an old book. Additional details will be available after launching your challenge instance.
Difficulty: Medium
Author: Alex Fulton/Daniel Tunitis

Summary

This challenge provides an encrypted text from a remote instance. The goal is to identify the cipher and decrypt the message to extract the flag.

Analysis

Since this is an instance-based challenge, we first connect to the service using nc:

$ nc fickle-tempest.picoctf.net 51614
Encrypted message:
âˆ©â•, â”Ne iy nytkwpsznyg nth it mtsztcy vjzprj zfzjy rkhpibj nrkitt ltc tnnygy ysee itd tte cxjltk

Ifrosr tnj noawde uk siyyzre, yse Bnretâ”œÂ¿wp Cousex mls hjpn xjtnbjytki xatd eisjd

Iz bls lfwskqj azycihzeej yz Brftsk ip Volpnâ”œÂ¿xj ls oy hay tcimnyarqj dkxnrogpd os 1553 my Mnzvgs Mazytszf Merqlsu ny hox moup Wa inqrg ipl. Ynr. Gotgat Gltzndtg Gplrfdo

Ltc tnj tmvqpmkseaznzn uk ehox nivmpr g ylbrj ts ltcmki my yqtdosr tnj wocjc hgqq ol fy oxitngwj arusahje fuw ln guaaxjytrd catizm tzxbkw zf vqlckx hizm ceyupcz yz tnj fpvjc hgqqpohzCZK{m311a50_0x_a1rn3x3_h1ah3xim3eKhQa}

Zmp fowdt cjwl-jtnusjytki oeyhcivytot tq a vtwygqahggptoh nivmpr nthebjc, wgx xajj lruzyd 1467 hd Weus Mazytszf Llhjcto.

Yse Bnretâ”œÂ¿wp Cousex nd tnjceltce ytxeznxey hllrjo tnj Llhjcto Itsi tc Argprzn Nivmpr.

Os 1508, Uonfynkx Eroysesnfs osgetypd zmp su-hllrjo tggflg wpczf (l mgycid tq snnqtki llvmlbkyd) tnfe wuzwd rfeex gp a iwttohll itxpuspnz tq tnj Gimjyâ”œÂ¿rk Htpnjc.

BkqwaytÎ“Ã‡Ã–d skhznj gzoqqpt guaegwpd os 1555 ls g hznznyugytot tq tnj qixxe. Tnj wocjc hgqgey tq tnj llvmlbkyd axj yoc xsilypd xjrurfcle, gft zmp arusahjes gso tnj tnjji lkyeexx lrk rtxki my sjlny tq a sspmustc qjj pnwlsk, bsiim nat gp dokqexjyt cneh kfnh itcrkxaotipnz.

The instance responds with a long encrypted message:

âˆ©â•, â”Ne iy nytkwpsznyg nth it mtsztcy vjzprj zfzjy rkhpibj nrkitt ltc tnnygy ysee itd tte cxjltk

Ifrosr tnj noawde uk siyyzre, yse Bnretâ”œÂ¿wp Cousex mls hjpn xjtnbjytki xatd eisjd

Iz bls lfwskqj azycihzeej yz Brftsk ip Volpnâ”œÂ¿xj ls oy hay tcimnyarqj dkxnrogpd os 1553 my Mnzvgs Mazytszf Merqlsu ny hox moup Wa inqrg ipl. Ynr. Gotgat Gltzndtg Gplrfdo

Ltc tnj tmvqpmkseaznzn uk ehox nivmpr g ylbrj ts ltcmki my yqtdosr tnj wocjc hgqq ol fy oxitngwj arusahje fuw ln guaaxjytrd catizm tzxbkw zf vqlckx hizm ceyupcz yz tnj fpvjc hgqqpohzCZK{m311a50_0x_a1rn3x3_h1ah3xim3eKhQa}

Zmp fowdt cjwl-jtnusjytki oeyhcivytot tq a vtwygqahggptoh nivmpr nthebjc, wgx xajj lruzyd 1467 hd Weus Mazytszf Llhjcto.

Yse Bnretâ”œÂ¿wp Cousex nd tnjceltce ytxeznxey hllrjo tnj Llhjcto Itsi tc Argprzn Nivmpr.

Os 1508, Uonfynkx Eroysesnfs osgetypd zmp su-hllrjo tggflg wpczf (l mgycid tq snnqtki llvmlbkyd) tnfe wuzwd rfeex gp a iwttohll itxpuspnz tq tnj Gimjyâ”œÂ¿rk Htpnjc.

BkqwaytÎ“Ã‡Ã–d skhznj gzoqqpt guaegwpd os 1555 ls g hznznyugytot tq tnj qixxe. Tnj wocjc hgqgey tq tnj llvmlbkyd axj yoc xsilypd xjrurfcle, gft zmp arusahjes gso tnj tnjji lkyeexx lrk rtxki my sjlny tq a sspmustc qjj pnwlsk, bsiim nat gp dokqexjyt cneh kfnh itcrkxaotipnz.

This is clearly not substitution, since the structure of the text is too varied. It also doesnâ€™t look like transposition â€” the letter distribution resembles normal English frequency patterns, meaning:

This is likely a polyalphabetic substitution cipher.

To confirm, I run the ciphertext through a cipher identification tool: cipher identifier.

And dcode.fr strongly suggests its Vigenère Cipher.

Decrypting (Using a Vigenère Solver)

Instead of doing key-length analysis manually, we simply use an automated solver

Paste the entire ciphertext into the solver and it automatically:

Detects the key length
Recovers the Vigenère key
Outputs the full decrypted English plaintext

It discovers the key: flag

Decrypted message:

âˆ©â•, â”It is interesting how in history people often receive credit for things they did not create

During the course of history, the Vigenère Cipher has been reinvented many times

It was falsely attributed to Blaise de Vigenère as it was originally described in 1553 by Giovan Battista Bellaso in his book La cifra del. Sig. Giovan Battista Bellaso

For the implementation of this cipher a table is formed by sliding the lower half of an ordinary alphabet for an apparently random number of places with respect to the upper halfpicoCTF{b311a50_0r_v1gn3r3_c1ph3rdb3eEcFa}

The first well-documented description of a polyalphabetic cipher however, was made around 1467 by Leon Battista Alberti.

The Vigenère Cipher is therefore sometimes called the Alberti Disc or Alberti Cipher.

In 1508, Johannes Trithemius invented the so-called tabula recta (a matrix of shifted alphabets) that would later be a critical component of the Vigenère Cipher.

BellasoÎ“Ã‡Ã–s second booklet appeared in 1555 as a continuation of the first. The lower halves of the alphabets are now shifted regularly, but the alphabets and the index letters are mixed by means of a mnemonic key phrase, which can be different with each correspondent.

:::note[âš¡ Raikiri] 🎉 Flag pwned! :::

The flag appears to be ~~picoCTF{b311a50_0r_v1gn3r3_c1ph3rdb3eEcFa}~~

:::note[💡 TL;DR / Lesson Learned] Long, natural-looking ciphertext with proper spacing strongly hints at Vigenère or another polyalphabetic cipher. Classical ciphers like Vigenère are trivially broken using modern automated solvers. Always try cipher-identification tools first â€” they save time. :::

🔐🕵️ PicoGym - Mr-Worldwide

Sat, 22 Nov 2025 00:00:00 GMT

<a href="/files/PicoGym/Cryptography/Mr-Worldwide/message.txt" download>📂 Download challenge file.</a>

Description: A musician left us a message. What's it mean?
Difficulty: Medium
Author: speeeday/Danny

Summary

This challenge hides a message inside a series of GPS coordinates formatted inside picoCTF{...}.
By identifying the locations and taking the first letter of each city, we can reconstruct the final flag.

Analysis

We are provided with the file message.txt :

$ file message.txt 
message.txt: ASCII text, with no line terminators

Its contents are:

picoCTF{(35.028309, 135.753082)(46.469391, 30.740883)(39.758949, -84.191605)(41.015137, 28.979530)(24.466667, 54.366669)(3.140853, 101.693207)_(9.005401, 38.763611)(-3.989038, -79.203560)(52.377956, 4.897070)(41.085651, -73.858467)(57.790001, -152.407227)(31.205753, 29.924526)}

At first glance, this clearly resembles a list of latitude/longitude GPS coordinates wrapped inside picoCTF{}.

I'll extract only the coordinates to make the data easier to read and analyze:

(35.028309, 135.753082)
(46.469391, 30.740883)
(39.758949, -84.191605)
(41.015137, 28.979530)
(24.466667, 54.366669)
(3.140853, 101.693207)
_
(9.005401, 38.763611)
(-3.989038, -79.203560)
(52.377956, 4.897070)
(41.085651, -73.858467)
(57.790001, -152.407227)
(31.205753, 29.924526)

What places do these GPS coordinates point to?

The underscore _ appears to separate two words, meaning:

The first group of coordinates → first word
The second group → second word

The next step is to reverse-lookup each coordinate using tools like:

Identifying the locations

Now I'll plug each coordinate into Google Maps and note the city.

Example lookup :

35.028309, 135.753082 → Kyoto, Japan.

Proceeding similarly, the coordinates resolve to:

(35.028309, 135.753082) → Kyoto, Japan
(46.469391, 30.740883) → Odesa, Ukraine
(39.758949, -84.191605) → Dayton, USA
(41.015137, 28.979530) → Istanbul, Turkey
(24.466667, 54.366669) → Abu Dhabi, UAE
(3.140853, 101.693207) → Kuala Lumpur, Malaysia

Then after the underscore:

(9.005401, 38.763611) → Addis Ababa, Ethiopia
(-3.989038, -79.203560) → Loja, Ecuador
(52.377956, 4.897070) → Amsterdam, Netherlands
(41.085651, -73.858467) → Sleepy Hollow, USA
(57.790001, -152.407227) → Kodiak, USA
(31.205753, 29.924526) → Alexandria, Egypt

Now we look for a pattern. A common trick in these kinds of challenges is to take the first letter of each city:

First group:

Kyoto
Odesa
Dayton
Istanbul
Abu Dhabi
Kuala Lumpur

→ KODIAK

Second group:

Addis Ababa
Loja
Amsterdam
Sleepy Hollow
Kodiak
Alexandria

→ ALASKA

So the hidden message is:

KODIAK_ALASKA

:::note[⚡ Raikiri] 🎉 Flag pwned! :::

Final flag

picoCTF{KODIAK_ALASKA}

:::note[💡 TL;DR / Lesson Learned] Location-based puzzles usually hide words in the initials of cities.
Map the coordinates, take the first letters, and the message appears. :::

🔐 PicoGym - rail-fence

Thu, 20 Nov 2025 00:00:00 GMT

<a href="/files/PicoGym/Cryptography/rail-fence/message.txt" download>📂 Download challenge file.</a>

Description: A type of transposition cipher is the rail fence cipher, which is described here. Here is one such cipher encrypted using the rail fence with 4 rails. Can you decrypt it? Download the message here. Put the decoded message in the picoCTF flag format, picoCTF{decoded_message}.
Difficulty: Medium
Author: Will Hong

Summary

This challenge introduces the Rail Fence Cipher, a classic transposition cipher. The goal is to decrypt the ciphertext stored in message.txt using a Rail Fence with 4 rails, then wrap the result in the flag format: picoCTF{decoded_message}.

Analysis

We are provided with a file named message.txt:

$ file message.txt 
message.txt: ASCII text, with no line terminators

$ cat message.txt 
Ta _7N6D49hlg:W3D_H3C31N__A97ef sHR053F38N43D7B i33___N6

So the ciphertext is : Ta _7N6D49hlg:W3D_H3C31N__A97ef sHR053F38N43D7B i33___N6

Since the challenge description specifies Rail Fence Cipher with 4 rails, we know this is a transposition cipher, not substitution. Before decrypting it, let's first understand how the Rail Fence Cipher works.

What is Rail Fence Cipher?

The Rail Fence Cipher is a transposition cipher that encrypts a message by writing it in a zig-zag pattern across several “rails” (rows), then reading the characters row by row.

It is often described as writing text in a wave-like pattern:

Write characters diagonally downwards.
When the bottom rail is reached, move diagonally upwards.
Repeat the pattern until the entire message is written.
Finally, read off each rail from top to bottom to form the ciphertext.

How Rail Fence Encryption & Decryption Work

Encryption Steps

Choose a number of rails (rows).
Place characters in an up–down zig-zag pattern across the rails.
Read each rail straight across.

Decryption Steps

Recreate the zig-zag structure.
Fill the rails row-by-row using the ciphertext.
Reconstruct the plaintext by following the original zig-zag path.

Encrytion Example (with 4 rails)

Plaintext:

WEAREDISCOVEREDFLEEATONCE

Written in zig-zag:

Rail 1: W . . . R . . . E . . . E . . . A . . .
Rail 2: . E . R . D . S . O . E . E . F . E . T .
Rail 3: . . A . . C . . . V . . . R . . . L . . .
Rail 4: . . . E . . . . . . . . . . . . . . . . .

(Periods represent empty positions.)

Now read each rail from top to bottom:

Rail 1 → W R E E A C  
Rail 2 → E R D S O E E F E T N  
Rail 3 → A C V R L E  
Rail 4 → E

Ciphertext :

WREEACERDSOEEFE TNA CVRLE

Decryption Example (with 4 rails)

To decrypt, we reverse the process.

Step 1, Mark the zig-zag path

For a 4-rail fence, the pattern repeats every:

2×(rails−1)=2×3=6

We first draw the empty rails for the length of the ciphertext (25 chars):

Rail 1: * . . . * . . . * . . . * . . . * . . . * 
Rail 2: . * . * . * . * . * . * . * . * . * . * . *
Rail 3: . . * . . * . . * . . * . . * . . * . . * .
Rail 4: . . . * . . . * . . . * . . . * . . . * . .

Step 2, Fill in rails row by row

Fill row by row using characters from the ciphertext.

Step 3, Read the plaintext in zig-zag

Plaintext obtained:

WEAREDISCOVEREDFLEEATONCE

Decrypting the ciphertext (4 Rails)

Using the same decryption process or an online tool such as Rail Fence decoder

We obtain the plaintext: The flag is: WH3R3_D035_7H3_F3NC3_8361N_4ND_3ND_4A76B997

PicoCTF flag Format

Now for the flag, we need to just wrap it in the format : ~~picoCTF{WH3R3_D035_7H3_F3NC3_8361N_4ND_3ND_4A76B997}~~

:::note[⚡ Raikiri] 🎉 Flag pwned! :::

:::note[💡 TL;DR / Lesson Learned] The Rail Fence cipher is a simple transposition method, it only rearranges characters without altering them. Decryption is straightforward once you know the number of rails and reconstruct the zig-zag pattern used during encryption. Like most classical ciphers, Rail Fence is not secure today; it is vulnerable to pattern analysis and can be solved quickly with modern tools. :::

🔐🫙 PicoGym - HideToSee

Sun, 16 Nov 2025 00:00:00 GMT

<a href="/files/PicoGym/Cryptography/HideToSee/atbash.jpg" download>📂 Download challenge file.</a>

Description: How about some hide and seek heh? Look at this image here.
Difficulty: Medium
Author: Sunday Jacob Nwanyim

Summary

This challenge combines two concepts: image steganography (using steghide) and the Atbash cipher. The goal is to extract hidden data from a JPEG image and decode it using Atbash.

Analysis

We are provided with a file named atbash.jpg:

$ file atbash.jpg
atbash.jpg: JPEG image data, JFIF standard 1.01, aspect ratio, density 1x1, segment length 16, baseline, precision 8, 465x455, components 3

So the file is a normal JPEG image:

Step 1: Extracting Hidden Data

The most common steganography tool for JPEGs is steghide, which can hide text or files inside images.

$ steghide atbash.jpg
wrote extracted data to "encrypted.txt".

This gives us a new file:

$ cat encrypted.txt
krxlXGU{zgyzhs_xizxp_8z0uvwwx}

So the hidden message inside the JPEG is:

krxlXGU{zgyzhs_xizxp_8z0uvwwx}

It clearly looks like a flag, but encoded.

Step 2: Understanding Atbash

What is atbash cipher ?

Atbash is a monoalphabetic substitution cipher where every letter is mapped to its “reverse”:

A ↔ Z
B ↔ Y
C ↔ X
...
M ↔ N

It applies only to alphabetic characters, numbers, braces, underscores, etc., remain unchanged. So to decode, we simply reverse each letter using the Atbash mapping.

Step 3: Manually Decoding the String

Let’s decode it character by character.

k → p
r → i
x → c
l → o
X → C
G → T
U → F

So:

krxlXGU  → picoCTF

Continuing the Atbash mapping over the rest of the string gives : ~~picoCTF{atbash_crack_8a0feddc}~~

Manual decoding works, but to speed things up we can also use an online tool such as the Atbash Decoder

:::note[⚡ Raikiri] 🎉 Flag pwned! :::

Final flag : ~~picoCTF{atbash_crack_8a0feddc}~~

:::note[💡 TL;DR / Lesson Learned] This challenge shows how to extract hidden data from a JPEG using steghide and decode it using the Atbash cipher, revealing the final flag. :::

🔐 PicoGym - ReadMyCert

Sat, 15 Nov 2025 00:00:00 GMT

<a href="/files/PicoGym/Cryptography/ReadMyCert/readmycert.csr" download>📂 Download challenge file.</a>

Description: How about we take you on an adventure on exploring certificate signing requests. Take a look at this CSR file here. Difficulty: Medium
Author: Sunday Jacob Nwanyim

Summary

This challenge introduces the concepts of PEM certificates, certificate signing requests (CSR), and Base64 encoding. The goal is to explore how certificate data is stored and how to inspect what’s inside a CSR file.

Analysis

We are provided with a file named readmycert.csr:

$ file readmycert.csr 
readmycert.csr: PEM certificate request

From this, we can see that it is a PEM certificate request.

What is PEM certificate?

A PEM (Privacy Enhanced Mail) certificate is a text-based file format that stores cryptographic data such as digital certificates, certificate signing requests, or private keys. It is commonly used by web servers like Apache and is easy to identify because it contains Base64-encoded text wrapped between headers like:

-----BEGIN CERTIFICATE-----
-----END CERTIFICATE-----

Key characteristics of a PEM certificate file:

Text-based format: PEM files are human-readable text files, though the content itself is encoded in Base64.
Content: They can contain various security data, including public keys, private keys, and certificate requests.
Headers and footers: The start and end of the data within a PEM file are marked by clear text labels, such as -----BEGIN CERTIFICATE----- and -----END CERTIFICATE-----.
File extensions: While the .pem extension is common, PEM-formatted data can also be found in other file extensions like .crt, .cer, .csr, or .key.
Container format: A single PEM file can sometimes contain multiple certificates and/or keys bundled together.

Since PEM stores Base64-encoded data, let’s briefly look at Base64 encoding.

What is Base64 encoding?

Base64 is a binary-to-text encoding scheme used to represent arbitrary binary data (like certificates, keys, or files) using only readable ASCII characters. This makes it safe for transmission through systems that may not handle raw binary properly.

How it works

The binary data is split into 6-bit groups.
Each 6-bit value (0–63) maps to a character in the Base64 index table:
- A–Z → 0–25
- a–z → 26–51
- 0–9 → 52–61
- + → 62
- / → 63
If the final chunk is incomplete, padding (=) is added so the output length is always a multiple of 4.

Manual Encoding (The Concept)

Let's manually encode the word Hi into Base64 to see the algorithm in action.

Convert to ASCII Decimal: First, find the ASCII values for each character.

H = 72
i = 105

Convert to Binary: Convert the decimal values to 8-bit binary.

72 = 01001000
105 = 01101001
Combined binary stream: 01001000 01101001 (16 bits)

Split into 6-bit chunks: Split the 16-bit stream into 6-bit groups.

010010 -> Decimal 18
000110 -> Decimal 6
1001 -> We only have 4 bits. We need to pad with two zeros to make a 6-bit chunk.
100100 -> Decimal 36
We had 16 bits, which is not divisible by 6. We will need to handle padding later.

Map to Base64 Table: Convert each 6-bit number using the Base64 index table.

18 -> S
6 -> G
36 -> k

Apply Padding: The original data was 2 bytes (16 bits). We ended up with three 6-bit chunks (18 bits), but the last one was padded. Since we had 2 bytes, which is 2 mod 3, we add one = padding character.

So, Hi in Base64 is SGk=.

Command-Line

In practice, we use CLI tools instead of manual conversion. On Linux, macOS, or WSL, you can decode Base64 like this:

$ echo "SGk=" | base64 --decode
Hi

Challenge

The content of the file is:

We can immediately notice the = padding at the end, which confirms that the content is Base64-encoded.

To decode or inspect the certificate request, we can either use the command line or an online tool like CyberChef.

Using the command line:

OpenSSL can parse and display CSR details:

$ openssl req -in readmycert.csr -noout -text

This will show fields such as:

Subject (CN, OU, etc.)
Public key information
Signature algorithm
CSR attributes

The output includes the following:

Certificate Request:
    Data:
        Version: 1 (0x0)
        Subject: CN=picoCTF{read_mycert_3aa80090}, name=ctfPlayer
        Subject Public Key Info:
            Public Key Algorithm: rsaEncryption
                Public-Key: (2048 bit)
                Modulus:
                    00:dd:4f:76:95:b8:b0:ab:a6:ec:08:45:b9:b0:e5:
                    f3:ab:1f:96:48:b6:d1:d5:8a:91:9f:e2:64:16:18:
                    5f:f4:58:a9:92:16:9b:db:de:a5:d7:f0:91:e8:83:
                    77:3e:ca:ae:23:f3:33:db:53:0e:e2:66:d6:45:af:
                    f3:fd:c0:c4:7a:d8:c2:58:85:1c:ad:25:b2:65:18:
                    74:e7:0f:7e:bb:e5:87:a4:88:b9:9c:07:bf:18:6b:
                    47:40:c9:d3:e5:b9:bd:4f:b8:8f:d1:bf:86:4d:be:
                    24:b3:14:46:1f:16:65:a7:70:06:14:5c:7c:8c:64:
                    f7:b3:97:ba:38:ef:1d:2f:4a:a6:53:00:b3:9b:a5:
                    71:24:90:72:fe:fb:42:42:1c:c5:58:35:39:20:d5:
                    66:81:23:4e:bd:77:d6:0f:bf:26:8c:77:4f:eb:85:
                    3c:4b:f3:17:d8:aa:d3:72:4c:53:7f:68:a9:f1:9a:
                    14:bd:36:11:04:da:4e:5f:1e:7c:b2:03:90:6c:6b:
                    28:27:3e:26:19:f8:7b:59:83:fb:d5:25:52:62:27:
                    f6:7b:0e:04:26:0d:ae:77:ea:e2:eb:00:2f:5d:19:
                    3c:c0:ed:cb:64:b1:c9:54:e5:d3:5e:f5:b6:bb:c2:
                    03:d0:c5:e4:f4:46:e9:e3:18:8a:b2:4e:98:5d:7c:
                    a1:25
                Exponent: 65537 (0x10001)
        Attributes:
            Requested Extensions:
                X509v3 Extended Key Usage:
                    TLS Web Client Authentication
    Signature Algorithm: sha256WithRSAEncryption
    Signature Value:
        c6:bb:b3:f9:77:98:0c:09:8b:b2:ec:a2:c3:d2:eb:f5:65:67:
        07:d3:76:22:40:bf:e5:8e:28:df:53:d6:ad:89:44:7b:00:19:
        1a:d6:f4:6c:f9:a7:b9:d2:04:a2:71:7a:f4:5a:38:cc:27:5d:
        62:b4:1e:a9:8d:df:2d:bf:96:8a:f9:d2:35:b3:a8:b8:4c:e1:
        39:db:2a:c6:a4:5e:71:08:a3:dd:17:80:7a:32:fa:7d:03:2f:
        4d:bd:e8:b8:3f:c6:85:eb:46:0a:e1:da:8d:eb:b5:94:dc:fa:
        2a:ea:53:34:d1:33:b4:35:17:be:8b:36:68:2d:11:7a:af:6c:
        e9:ba:1b:1d:9d:01:23:e1:54:00:1f:ca:54:41:09:3c:b3:d9:
        d6:30:83:6b:cc:93:0b:78:7b:96:d3:be:9c:de:ff:1c:93:c8:
        8f:0f:c9:da:b4:f5:86:09:7b:4f:9a:d9:c1:d2:81:ca:32:1a:
        85:97:8c:82:b8:09:4c:63:04:d5:c0:17:14:8f:09:c4:b7:e4:
        94:64:06:7c:86:a3:e2:8b:f9:7b:6e:2b:dc:82:5f:bc:41:16:
        4c:0b:c9:b2:bb:32:3e:13:78:68:b0:0e:c4:7f:d1:2c:2a:c9:
        61:9b:ed:0d:a6:e7:c6:b2:f1:15:66:a6:60:08:12:cd:b5:33:
        7d:b7:e9:9e

As we can see, the flag is embedded directly inside the Subject CN field:

CN=picoCTF{read_mycert_3aa80090}

Using CyberChef

If using CyberChef, the PEM headers must first be removed:

-----BEGIN CERTIFICATE REQUEST-----
-----END CERTIFICATE REQUEST-----

Once removed, apply the “From Base64” operation to decode the CSR data and inspect the ASN.1 structure. CyberChef will then display the embedded fields, including the flag.

:::note[⚡ Raikiri] 🎉 Flag pwned! :::

:::note[💡 TL;DR / Lesson Learned] This challenge demonstrates:

How PEM files store cryptographic information in Base64 format.
How to decode and inspect CSR files using OpenSSL or CyberChef.
How flags can be hidden in metadata fields like the Subject CN :::

🔐 PicoGym - Vigenere

Fri, 14 Nov 2025 00:00:00 GMT

<a href="/files/PicoGym/Cryptography/Vigenere/cipher.txt" download>📂 Download challenge file.</a>

Description: Can you decrypt this message? Decrypt this message using this key "CYLAB"..
Difficulty: Medium
Author: Mubarak Mikail

Summary

This challenge is about Vigenère cipher, a classic polyalphabetic substitution cipher.

It can be solved either manually (tabula recta) or automatically using an online tool like Vignere cipher

The approach is quite similar to the one used in Easy1.

Analysis

We are given a file cipher.txt:

$ file cipher.txt
cipher.txt: ASCII text

Its contents are:

rgnoDVD{O0NU_WQ3_G1G3O3T3_A1AH3S_2951c89f}

At first glance, the text inside the braces looks like a flag, but the prefix rgnoDVD doesn’t match the standard picoCTF{} format. This suggests that the flag string has been encrypted using the Vigenère cipher with the provided key "CYLAB".

It’s important to note that only alphabetic characters are affected by the cipher, symbols, digits, and underscores remain unchanged.

Decryption Steps

Since the key and ciphertext lengths differ, the key must be repeated to align with the entire text.

Key:      CYLABCYLABCYLABCYLABCYLABCYLABCYLABCYLABCY
Cipher:   rgnoDVD{O0NU_WQ3_G1G3O3T3_A1AH3S_2951c89f}

We then decrypt only the alphabetic characters using the Vigenère decryption formula, leaving all non-letter characters as they are:

plaintext_letter = (ciphertext_index - key_index) mod 26

Steps to Solve

Align ciphertext and key.
Convert each letter to its alphabet index (A=0 to Z=25).
Subtract the key index from the ciphertext index (mod 26).
Convert the result back to letters.
Combine all results to get the plaintext message.

Alternatively, we can simplify the process by using an online Vigenère Cipher Decoder, which follows the same tabula recta decryption method.

The decrypted flag is ~~picoCTF{D0NT_US3_V1G3N3R3_C1PH3R_2951a89h}~~.

:::note[⚡ Raikiri] 🎉 Flag pwned! :::

:::note[💡 TL;DR / Lesson Learned] The Vigenère cipher encrypts letters by shifting them according to a repeating keyword.

Non-alphabetic characters (like {}, _, and digits) remain untouched. :::

🔐 PicoGym - basic-mod1

Fri, 14 Nov 2025 00:00:00 GMT

<a href="/files/PicoGym/Cryptography/basic-mod1/message.txt" download>📂 Download challenge file.</a>

Description: We found this weird message being passed around on the servers, we think we have a working decryption scheme. Download the message here. Take each number mod 37 and map it to the following character set: 0-25 is the alphabet (uppercase), 26-35 are the decimal digits, and 36 is an underscore. Wrap your decrypted message in the picoCTF flag format (i.e. picoCTF{decrypted_message})
Difficulty: Medium
Author: Will Hong

Summary

This challenge introduces the concept of modulo (mod) arithmetic, a fundamental concept in cryptography.

It can be solved either manually or using a simple Python script.

Analysis

So we got a file messgae.txt:

$ file message.txt 
message.txt: ASCII text, with no line terminators

Its content is:

350 63 353 198 114 369 346 184 202 322 94 235 114 110 185 188 225 212 366 374 261 213

What is modulo?

Modulo is a mathematical operation that finds the remainder when one number is divided by another. For example:

10 mod 3 = 1  (because 10 ÷ 3 = 3 remainder 1)
350 mod 37 = 17

In cryptography, modulo is often used to wrap numbers into a fixed range, such as mapping numbers to letters or digits.

Challenge

According to the challenge instructions:

Take each number mod 37
Map the result to a character using this mapping:

0–25 → A–Z
26–35 → 0–9
36 → _

Combine the decoded characters.
Wrap the result in the format: picoCTF{decrypted_message}

Decryption

We calculate each number modulo 37 and map it to the corresponding character:

Number	Calculation	mod 37	Character
350	350 − (37×9 = 333)	17	R
63	63 − (37×1 = 37)	26	0
353	353 − (37×9 = 333)	20	U
198	198 − (37×5 = 185)	13	N
114	114 − (37×3 = 111)	3	D
369	369 − (37×9 = 333)	36	_
346	346 − (37×9 = 333)	13	N
184	184 − (37×4 = 148)	36	_
202	202 − (37×5 = 185)	17	R
322	322 − (37×8 = 296)	26	0
94	94 − (37×2 = 74)	20	U
235	235 − (37×6 = 222)	13	N
114	114 − (37×3 = 111)	3	D
110	110 − (37×2 = 74)	36	_
185	185 − (37×5 = 185)	0	A
188	188 − (37×5 = 185)	3	D
225	225 − (37×6 = 222)	3	D
212	212 − (37×5 = 185)	27	1
366	366 − (37×9 = 333)	33	7
374	374 − (37×10 = 370)	4	E
261	261 − (37×7 = 259)	2	C
213	213 − (37×5 = 185)	28	2

Decrypted Message

Putting it together:

R0UND_N_R0UND_ADD17EC2

Similar can be done with Python:

numbers = [350, 63, 353, 198, 114, 369, 346, 184, 202, 322, 94, 235, 114, 110, 185, 188, 225, 212, 366, 374, 261, 213]

def decode(n):
    r = n % 37
    if 0 <= r <= 25:
        return chr(ord('A') + r)
    elif 26 <= r <= 35:
        return chr(ord('0') + (r - 26))
    else:
        return "_"

flag = "".join(decode(n) for n in numbers)
print("picoCTF{" + flag + "}")

:::note[⚡ Raikiri] 🎉 Flag pwned! :::

Wrapped in picoCTF flag format:

picoCTF{R0UND_N_R0UND_ADD17EC2}

:::note[💡 TL;DR / Lesson Learned] This challenge demonstrates how the modulo operation can be used in cryptography to map numbers to a fixed set of symbols, such as letters, digits, or special characters. :::

🔐 PicoGym - Flags

Thu, 13 Nov 2025 00:00:00 GMT

<a href="/files/PicoGym/Cryptography/Flags/flag.png" download>📂 Download challenge file.</a>

Description: What do the flags mean?
Difficulty: Medium
Author: Danny

Summary

This challenge focuses on decoding a message hidden using Maritime Signal Flags, a visual communication method used by ships.
The challenge provides an image file named flag.png, which displays a sequence of maritime flags.

Decoding can be done manually using the reference chart or automatically through online tools like Maritime Signals decoder

Analysis

We are given a PNG file, and upon opening it, we can see a series of flags resembling country or signal flags:

However, I noticed that the flag format PICOCTF{...} is preserved, the curly braces remain intact.

This suggests that the encoding technique only affects letters and numbers, leaving symbols like { and } unchanged.

A quick search suggests that this is likely using the Navy Signals Cipher, a system that maps letters and digits to specific maritime flags.

What Are Nautical Signal Flags?

The International Code of Maritime Signals (ICS) is a visual communication system used in maritime navigation to transmit messages between ships or between a ship and the shore.
It uses a set of distinct flags (also called pennants or semaphores), and each flag represents a specific letter or number.

How Does the Navy Signals Cipher Work?

The International Maritime Signal Code can also be used as a monoalphabetic substitution cipher,
each nautical flag stands for a letter (A–Z) or a number (0–9).

Example:

Number Flags

Digits have distinct flag designs and correspond to lowercase ASCII characters:

How to Decrypt Maritime Signal Flags

Decryption is straightforward, substitute each flag with its corresponding letter or digit.

Example:

Recognizing Maritime Flag Ciphertext

Ciphertext made with this method typically contains:

Square flags in blue, white, yellow, red, or black (no green or mixed colors).
Patterns or themes related to ships, navy, or seafaring clues (like lighthouses or distress signals).

These visual hints indicate that the challenge likely involves Nautical Signal Flags.

Why Use Maritime Signal Flags?

The International Maritime Signal Flags system allows ships to communicate when radio or electronic communication is unavailable.
It’s used for transmitting navigation instructions, warnings, and emergency messages, forming a critical part of naval operations.

Solution

To decode the message, I substituted each maritime flag in the PNG file with its corresponding letter or digit.
I used the Maritime Signals decoder.

The decoded flag is PICOCTFF1AG5AND5TUFF.
Since the curly braces {} were not part of the encryption, I added them back to match the flag format:

:::note[⚡ Raikiri] 🎉 Flag pwned! The Navy Signals Cipher has been successfully decoded. :::

PICOCTF{F1AG5AND5TUFF}

:::note[💡 TL;DR / Lesson Learned] The International Maritime Signal Flags system was primarily a visual communication tool for ships, not a cryptographic system. Its main purpose was safe, reliable signaling over distances when radio or other means weren’t available.

This system was originally used by ships to communicate visually over distances. However, this type of communication is no longer used for security purposes, as it is easily breakable. :::

🔐 PicoGym - Easy1

Thu, 13 Nov 2025 00:00:00 GMT

<a href="/files/PicoGym/Cryptography/Easy1/table.txt" download>📂 Download challenge file.</a>

Description: The one time pad can be cryptographically secure, but not when you know the key. Can you solve this? We've given you the encrypted flag, key, and a table to help UFJKXQZQUNB with the key of SOLVECRYPTO. Can you use this table to solve it?.
Difficulty: Medium
Author: Alex Fulton/Danny

Summary

This challenge introduces the concept of the Vigenère cipher, a classic polyalphabetic substitution cipher.

It can be solved either manually using the provided table.txt (tabula recta) or automatically using an online tool like Vignere cipher

Analysis

We are given a file table.txt:

$ file table.txt
table.txt: ASCII text

Its contents are:

    A B C D E F G H I J K L M N O P Q R S T U V W X Y Z 
   +----------------------------------------------------
A | A B C D E F G H I J K L M N O P Q R S T U V W X Y Z
B | B C D E F G H I J K L M N O P Q R S T U V W X Y Z A
C | C D E F G H I J K L M N O P Q R S T U V W X Y Z A B
D | D E F G H I J K L M N O P Q R S T U V W X Y Z A B C
E | E F G H I J K L M N O P Q R S T U V W X Y Z A B C D
F | F G H I J K L M N O P Q R S T U V W X Y Z A B C D E
G | G H I J K L M N O P Q R S T U V W X Y Z A B C D E F
H | H I J K L M N O P Q R S T U V W X Y Z A B C D E F G
I | I J K L M N O P Q R S T U V W X Y Z A B C D E F G H
J | J K L M N O P Q R S T U V W X Y Z A B C D E F G H I
K | K L M N O P Q R S T U V W X Y Z A B C D E F G H I J
L | L M N O P Q R S T U V W X Y Z A B C D E F G H I J K
M | M N O P Q R S T U V W X Y Z A B C D E F G H I J K L
N | N O P Q R S T U V W X Y Z A B C D E F G H I J K L M
O | O P Q R S T U V W X Y Z A B C D E F G H I J K L M N
P | P Q R S T U V W X Y Z A B C D E F G H I J K L M N O
Q | Q R S T U V W X Y Z A B C D E F G H I J K L M N O P
R | R S T U V W X Y Z A B C D E F G H I J K L M N O P Q
S | S T U V W X Y Z A B C D E F G H I J K L M N O P Q R
T | T U V W X Y Z A B C D E F G H I J K L M N O P Q R S
U | U V W X Y Z A B C D E F G H I J K L M N O P Q R S T
V | V W X Y Z A B C D E F G H I J K L M N O P Q R S T U
W | W X Y Z A B C D E F G H I J K L M N O P Q R S T U V
X | X Y Z A B C D E F G H I J K L M N O P Q R S T U V W
Y | Y Z A B C D E F G H I J K L M N O P Q R S T U V W X
Z | Z A B C D E F G H I J K L M N O P Q R S T U V W X Y

This table is known as the tabula recta, which is the foundation of the Vigenère cipher.

What is the Vigenère Cipher?

The Vigenère cipher is a method of encrypting text using a series of Caesar ciphers with different shift values determined by a repeating keyword.

It’s considered a polyalphabetic substitution cipher because it uses multiple substitution alphabets, making it stronger than a simple Caesar cipher.

Decryption

The provided ciphertext and key are:

Ciphertext: UFJKXQZQUNB
Key: SOLVECRYPTO

Since the key length (11) matches the ciphertext length, each ciphertext letter corresponds directly to one key letter. The decryption formula is:

plaintext_letter = (ciphertext_letter_index - key_letter_index) mod 26

Example (first character):

Cipher U = 20 (A=0)
Key S = 18
Plain = (20 - 18) mod 26 = 2 → C

Steps to Solve

Align ciphertext and key.
Convert each letter to its alphabet index (A=0 to Z=25).
Subtract the key index from the ciphertext index (mod 26).
Convert the result back to letters.
Combine all results to get the plaintext message.

Alternatively, we can simplify the process by using an online Vigenère Cipher Decoder, which follows the same tabula recta decryption method.

The decrypted message is CRYPTOISFUN. Flag:

picoCTF{CRYPTOISFUN}

:::note[⚡ Raikiri] 🎉 Flag pwned! :::

:::note[💡 TL;DR / Lesson Learned] The Vigenère cipher is a form of polyalphabetic substitution cipher that uses a repeating keyword to shift letters in the plaintext.

Unlike a simple Caesar cipher that uses one shift value, Vigenère applies multiple shifts based on the keyword, making it more secure, but still vulnerable to frequency and key-reuse analysis. :::

🔐 PicoGym - rotation

Thu, 13 Nov 2025 00:00:00 GMT

<a href="/files/PicoGym/Cryptography/rotation/encrypted.txt" download>📂 Download challenge file.</a>

Description: You will find the flag after decrypting this file. Download the encrypted flag here.
Difficulty: Medium
Author: Loic Shema

Summary

This challenge uses the concept of a Caesar Cipher.
You are provided with an encoded message file named encrypted.txt and must decrypt it to recover the flag.

Decoding can be done manually by trying different shift keys or automatically using tools like Caesar Cipher.

Analysis

The file encrypted.txt contains ASCII text:

$ file encrypted.txt
encrypted.txt: ASCII text

So its contents look like this:

xqkwKBN{z0bib1wv_l3kzgxb3l_555957n3}

Based on the format, this appears to be a rotation/shift cipher (like a Caesar cipher), because the beginning of the string xqkwKBN{ matches the flag format picoCTF{ after applying a shift.

I brute-forced the shift keys to find the correct one using the tool Caesar Cipher. The correct key is +8, which gvies the decrypted flag:

picoCTF{r0tat1on_d3crypt3d_555957f3}

:::note[⚡ Raikiri] 🎉 Flag pwned! The Caesar Cipher has been successfully decrypted. :::

:::note[💡 TL;DR / Lesson Learned] The Caesar Cipher works by shifting letters by a fixed number of positions in the alphabet.
By identifying the correct shift key, we can reverse the encryption and recover the hidden flag. :::

🔐 PicoGym - Substitution0

Thu, 13 Nov 2025 00:00:00 GMT

<a href="/files/PicoGym/Cryptography/substitution0/message.txt" download>📂 Download challenge file.</a>

Description: A message has come in but it seems to be all scrambled. Luckily it seems to have the key at the beginning. Can you crack this substitution cipher?
Difficulty: Medium
Author: Will Hongandu

Summary

This challenge introduces the concept of a Substitution Cipher.
You’re given an encoded message file named message.txt and need to decrypt it to reveal the flag.

You can solve it using online tools like Cryptii Substitution Decoder or by manually analyzing letter frequencies and patterns.

Analysis

What is a (Monoalphabetic) Substitution Cipher?

A monoalphabetic substitution cipher replaces each letter of the alphabet with another letter according to a one-to-one correspondence, meaning a specific plaintext letter always maps to the same ciphertext letter.

It’s called monoalphabetic because only one alphabet mapping is used throughout the message. The substitution alphabet is a scrambled or reordered version of the normal alphabet.

How Encryption Works

To encrypt, a mixed (shuffled) alphabet replaces the standard one.
For example:

Plain Alphabet	A	B	C	D	E	F	G	H	I	J	K	L	M	N	O	P	Q	R	S	T	U	V	W	X	Y	Z
Substitution Alphabet	B	Y	K	W	A	S	L	F	X	O	C	Z	T	D	H	J	U	M	I	G	P	V	E	N	Q	R

Using this table, the plaintext "TEST" would encrypt to GAIG.

Any permutation of the alphabet can serve as a valid key, as long as no letter is repeated.

ACA Classification (K1–K4 Systems)

The American Cryptogram Association (ACA) defines four common key-based variants of the monoalphabetic substitution cipher:

K1 – The key is placed at the start of the substitution alphabet, followed by the remaining unused letters in alphabetical order.
Example: Key “CODE” → CODEABFGHIJKLMNPQRSTUVWXYZ
K2 – The key is placed in the cipher alphabet (reciprocal of K1).
K3 – The same key is used for both the plaintext and cipher alphabets.
K4 – Two different keys are used: one for the plaintext alphabet and one for the cipher alphabet.

How Decryption Works

To decrypt, the process is simply reversed, replace each cipher letter with its corresponding plaintext letter using the inverse substitution table.

Example:

Substitution Alphabet	N	B	A	J	Y	F	O	W	L	Z	M	P	X	I	K	U	V	C	D	E	G	R	Q	S	T	H
Plain Alphabet	A	B	C	D	E	F	G	H	I	J	K	L	M	N	O	P	Q	R	S	T	U	V	W	X	Y	Z

Example: The ciphertext EYDE decrypts to TEST.

How to Identify a Substitution Cipher

Monoalphabetic substitutions can often be recognized by:

Letter frequency similar to natural language (like English).
Spaces preserved, called an Aristocrat cipher.
No spaces, called a Patristocrat cipher.

These characteristics make substitution ciphers ideal for practicing classical cryptanalysis techniques such as frequency analysis and pattern recognition.

Decryption

The message.txt file contains the following ciphertext:

OHNFUMWSVZLXEGCPTAJDYIRKQB 

Suauypcg Xuwaogf oacju, rvds o waoiu ogf jdoduxq ova, ogf hacywsd eu dsu huudxu
mace o wxojj noju vg rsvns vd roj ugnxcjuf. Vd roj o huoydvmyx jnoaohouyj, ogf, od
dsod dveu, yglgcrg dc godyaoxvjdj, cm ncyaju o wauod pavbu vg o jnvugdvmvn pcvgd
cm ivur. Dsuau ruau drc acygf hxonl jpcdj guoa cgu ukdauevdq cm dsu honl, ogf o
xcgw cgu guoa dsu cdsua. Dsu jnoxuj ruau uknuufvgwxq soaf ogf wxcjjq, rvds oxx dsu
oppuoaognu cm hyagvjsuf wcxf. Dsu ruvwsd cm dsu vgjund roj iuaq aueoalohxu, ogf,
dolvgw oxx dsvgwj vgdc ncgjvfuaodvcg, V ncyxf soafxq hxoeu Zypvdua mca svj cpvgvcg
aujpundvgw vd.

Dsu mxow vj: pvncNDM{5YH5717Y710G_3I0XY710G_03055505}

From the start of the file, I noticed a key hint: the first few letters indicate the substitution alphabet order. Using this OHNFUMWSVZLXEGCPTAJDYIRKQB, we can reconstruct the mapping table.

By applying the monoalphabetic substitution decryption (either manually or using Cryptii Substitution Decoder), we get the plaintext:

picoCTF{5UB5717U710N_3V0LU710N_03055505}

:::note[⚡ Raikiri] 🎉 Flag pwned! The ciphertext has been decoded successfully. :::

:::note[💡 TL;DR / Lesson Learned] Monoalphabetic substitution ciphers replace each letter with a fixed substitute from a defined alphabet. While simple to break with frequency analysis or known hints, they illustrate the basics of classical cryptography and the evolution toward modern, more secure encryption methods. :::

🔐 PicoGym - 13

Wed, 12 Nov 2025 00:00:00 GMT

Description: Cryptography can be easy, do you know what ROT13 is? cvpbPGS{abg_gbb_onq_bs_n_ceboyrz}
Difficulty: Medium
Author: Alex Fulton/Daniel Tunitis

Summary

This challenge focuses on the ROT13 cipher, a simple substitution cipher that shifts each letter by 13 places in the alphabet.
The goal is to decode the ciphertext cvpbPGS{abg_gbb_onq_bs_n_ceboyrz}.

You can solve it using any online ROT13 tool, such as rot13.com, or by applying the shift manually.

Analysis

This challenge is quite similar to Mod 26

UIisng the ROT13, we get the flag : picoCTF{not_too_bad_of_a_problem} :::note[⚡ Raikiri] 🎉 Flag pwned! The ROT13 cipher has been successfully decoded. :::

:::note[💡 TL;DR / Lesson Learned] ROT13 is a Caesar cipher with a fixed shift of 13.
Applying it twice returns the original text, a simple yet elegant example of modular arithmetic in action. :::

🔐 PicoGym - The Numbers

Wed, 12 Nov 2025 00:00:00 GMT

<a href="/files/PicoGym/Cryptography/The_Numbers/the_numbers.png" download>📂 Download the challenge file.</a>

Description: The numbers... what do they mean?
Difficulty: Medium
Author: Danny

Summary

This challenge provides an image containing a sequence of numbers.

The goal is to decode the numbers inside the braces using the Letter-to-Number Cipher to recover the flag.

Analysis

We are provided with the image the_numbers.png. On this it contains this 16 9 3 15 3 20 6 {20 8 5 14 21 13 2 5 18 19 13 1 19 15 14}

To identify the cipher method, we can use dcode.fr.

It suggests that the sequence uses a Letter-to-Number Cipher.

What is Letter-to-Number Cipher? Also known as the Number-to-Letter Cipher or A1Z26, this cipher replaces each letter with its position in the alphabet:

Letter	A	B	C	D	E	F	G	H	I	J	K	L	M	N	O	P	Q	R	S	T	U	V	W	X	Y	Z
Number	1	2	3	4	5	6	7	8	9	10	11	12	13	14	15	16	17	18	19	20	21	22	23	24	25	26

How to Encrypt Using A1Z26

Take the plaintext letter.
Find its position in the alphabet.
Replace the letter with its corresponding number.

For example, "A" becomes 1, "B" becomes 2, and so on up to "Z" = 26.
Decoding is simply the reverse process: convert numbers back into letters to recover the original text.

Now let's decrypt our flag:

Split into the part before the braces and the part inside:

Before braces: 16 9 3 15 3 20 6
Inside braces: 20 8 5 14 21 13 2 5 18 19 13 1 19 15 14

Convert each number using A1Z26 (A=1, B=2, …, Z=26):

Before braces

16 → P
9 → I
3 → C
15 → O
3 → C
20 → T
6 → F

Assembled: P I C O C T F → PICOCTF

Inside braces

20 → T
8 → H
5 → E
14 → N
21 → U
13 → M
2 → B
5 → E
18 → R
19 → S
13 → M
1 → A
19 → S
15 → O
14 → N

Assembled: T H E N U M B E R S M A S O N → THENUMBERSMASON

Using the standard flag format, the final flag is: PICOCTF{THENUMBERSMASON}

:::note[⚡ Raikiri] 🎉 Flag pwned! The numeric ciphertext has been decoded successfully. :::

This can also be solved using online tools like dcode.fr.

:::note[💡 TL;DR / Lesson Learned] Number-to-Letter (A1Z26) ciphers are simple yet effective for learning about encoding. :::

🔐 PicoGym - interencdec

Wed, 12 Nov 2025 00:00:00 GMT

<a href="/files/PicoGym/Cryptography/interencdec/enc_flag" download>📂 Download challenge file.</a>

Description: Can you get the real meaning from this file.
Difficulty: Easy
Author: NGIRIMANA Schadrack

Summary

This challenge introduces the concept of basic text encoding and substitution ciphers. You’re given an encoded flag file named enc_flag and need to uncover its hidden message.

You can solve it using online tools like cyberchef and dcode.fr

Analysis

First we identify the file type:

$ file enc_flag
enc_flag: ASCII text

It’s plain ASCII text, so let’s open it. The file contains:

YidkM0JxZGtwQlRYdHFhR3g2YUhsZmF6TnFlVGwzWVROclh6ZzJhMnd6TW1zeWZRPT0nCg==

Base64 is a binary-to-text encoding scheme that converts binary data into ASCII characters. It’s commonly used to encode data for safe transmission over text-based protocols. Base64 strings often end with = or == as padding. Read more about base64

Stage 1

The trailing == suggests Base64 encoding. Let's verify this.

So we decode it. You can use base64 locally or an online tool like CyberChef. Decoding the first layer gives:

which is b'd3BqdkpBTXtqaGx6aHlfazNqeTl3YTNrXzg2a2wzMmsyfQ=='

Stage 2

This looks like a Python bytes literal (b'...'), the actual Base64 payload is the inner string: d3BqdkpBTXtqaGx6aHlfazNqeTl3YTNrXzg2a2wzMmsyfQ==

Decode that second Base64 layer and we get: wpjvJAM{jhlzhy_k3jy9wa3k_86kl32k2}

Stage 3

Now this looks familier the challenge mod 26

To recover the flag, I performed a simple Caesar shift (mod 26) brute force over all 26 shifts. The correct shift was 19.

:::note[⚡ Raikiri] 🎉 Flag pwned! The ciphertext has been decoded successfully. :::

:::note[💡 TL;DR / Lesson Learned] Double Base64 → ROT cipher → Flag recovered.
Always check for multiple layers of encoding, even in simple CTF files.
Don’t rely on simple encodings for real-world security! :::

🔐 PicoGym - Caesar

Wed, 12 Nov 2025 00:00:00 GMT

<a href="/files/PicoGym/Cryptography/Caesar/data.enc" download>📂 Download challenge file.</a>

Description: Decrypt this message.
Difficulty: Medium
Author: NSanjay C/Daniel Tunitis

Summary

This challenge introduces the concept of Caesar cipher. You’re given an encoded flag file named data.enc and need to decrypt it to reveal the hidden flag.

You can solve it using online tools like Caesar cipher decoder or by manually testing shifts.

Analysis

First we identify the file type:

$ file data.enc
data.enc: ASCII text

It’s plain ASCII text, so let’s open it. The file contains:

picoCTF{hwtxxnslymjwzgnhtswlvhsgdv}

The flag clearly starts with the known prefix picoCTF{}, but the inner text hwtxxnslymjwzgnhtswlvhsgdv is encrypted.

This strongly suggests the Caesar cipher, a classic encryption method where each letter in the plaintext is shifted by a fixed number of positions in the alphabet.

What Is the Caesar Cipher?

The Caesar cipher is one of the oldest and simplest encryption techniques. It works by shifting each letter of the alphabet by a fixed number (called the key or offset).

For example, with a shift of 3:

A → D
B → E
C → F
... and so on.

Decryption simply reverses this process by shifting in the opposite direction.

Now, let’s decode the ciphertext. Using a Caesar cipher decoder, I tried different shifts (0–25) until I found the one that gives readable text.

After testing a few offsets, we find that a shift of 5 correctly decrypts the message:

picoCTF{crossingtherubiconrgqcnbyq}

:::note[⚡ Raikiri] 🎉 Flag pwned! The ciphertext has been decoded successfully. :::

:::note[💡 TL;DR / Lesson Learned] The Caesar cipher works by shifting letters by a fixed offset, a foundational concept in classical cryptography.
It’s no longer used in modern security because it can be easily decoded, though it was once used in early military communications. :::

🔐 PicoGym - Mod 26

Tue, 11 Nov 2025 00:00:00 GMT

Description: "Cryptography can be easy, do you know what ROT13 is cvpbPGS{arkg_gvzr_V'yy_gel_2_ebhaqf_bs_ebg13_nSkgmDJE}
Difficulty: Easy
Author: Pandu

Summary

This challenge teaches ROT13 by asking you to decode the ciphertext cvpbPGS{arkg_gvzr_V'yy_gel_2_ebhaqf_bs_ebg13_nSkgmDJE}.

You can solve it using online ROT13 tools or by applying the ROT13 substitution manually.

Analysis

ROT13 is a simple substitution cipher that replaces each letter in a text with the letter 13 places after it in the alphabet. Because there are 26 letters in the Latin alphabet, applying ROT13 twice returns the original text, making it both an encryption and decryption method. For example, "A" becomes "N" and "N" becomes "A".

Now how Modulo 26 is related to ROT13

In cryptography, Mod 26 represents arithmetic done within the bounds of the 26-letter alphabet. ROT13 can be expressed mathematically as:

E(x) = (x + 13) \bmod 26

Where:

Each letter is first converted to a number (A = 0, B = 1, ..., Z = 25).
Then, 13 is added to that number.
The result is taken modulo 26 to ensure it wraps back around the alphabet once it passes â€œZ.â€

This modular operation guarantees the cyclic behavior of the cipher â€” after â€œZ,â€ it starts again at â€œA.â€
In other words, ROT13 is simply a Caesar cipher with a fixed shift of 13, powered by Mod 26 arithmetic.

Decoding ROT13

Applying ROT13 transforms each letter:

c â†’ p
v â†’ i
p â†’ c
b â†’ o
P â†’ C
G â†’ T
S â†’ F

â€¦and so on, until the full flag is revealed.

Tools for ROT13

You can decode ROT13 either manually or with online tools:

Online decoders: https://www.rot13.com
Command-line:

echo "cvpbPGS{arkg_gvzr_V'yy_gel_2_ebhaqf_bs_ebg13_nSkgmDJE}" | tr 'A-Za-z' 'N-ZA-Mn-za-m'

cipher = "cvpbPGS{arkg_gvzr_V'yy_gel_2_ebhaqf_bs_ebg13_nSkgmDJE}"
plaintext = cipher.encode('rot_13')
print(plaintext)

:::note[âš¡ Raikiri] ?? Flag pwned! The ciphertext has been decoded successfully. :::

:::note[💡 TL;DR / Lesson Learned] ROT13 is a simple substitution cipher that demonstrates modular arithmetic in cryptography.
Applying +13 mod 26 twice restores the original message.
Remember: ROT13 is not secure and should never be used for real-world encryption. :::

🔐 PicoGym - Hashcrack

Mon, 10 Nov 2025 00:00:00 GMT

Description: A company stored a secret message on a server which got breached due to the admin using weakly hashed passwords. Can you gain access to the secret stored within the server? Additional details will be available after launching your challenge instance.
Difficulty: Easy
Author: Nana Ama Atombo-Sackey

Summary

This challenge presents a remote service that gives you three hashes sequentially and asks you to provide their plaintexts. The server hints that weak passwords were used, so common password lookup or a dictionary attack is the right approach.

During the solve I interacted with the service and tested common passwords; all three hashes were weak and cracked quickly. The final step revealed the flag.

Tools

nc (netcat), to talk to the remote service
hashid / hash-identifier, to identify hash types
hashcat or john, for offline cracking using wordlists
rockyou.txt, common password list
Online hash lookup services like CrackStation, useful for common passwords and precomputed hash databases.

Analysis

I connected to the remote service:

nc domain port

Then we get the following message:

Welcome!! Looking For the Secret?

We have identified a hash: 482c811da5d5b4bc6d497ffa98491e38
Enter the password for identified hash:

The hash provided is: 482c811da5d5b4bc6d497ffa98491e38

A hash is a fixed-length string of characters produced by a hash function, representing input data uniquely. Common hashing algorithms include MD5, SHA-1, and SHA-256.

MD5 produces a 32-character hexadecimal digest.
SHA-1 produces a 40-character hexadecimal digest.
SHA-256 produces a 64-character hexadecimal digest.

Since our hash is 32 characters long, it is very likely an MD5 hash. Hash

Using online tools like :

https://hashes.com/en/tools/hash_identifier
https://www.tunnelsup.com/hash-analyzer/
https://www.dcode.fr/hash-identifier

We also have offline tool like hash-identifier

Because the provided hash is 32 hexadecimal characters long (128 bits), this strongly indicates an MD5 digest. To confirm the hash type I used several online identifier tools, Hashes.com, TunnelsUp, and dCode, and the offline hash-identifier utility included with Kali Linux.

Hashing is a one-way process, once data is hashed, it cannot be reversed. While older algorithms like MD5 and SHA-1 have been broken, newer ones remain strong for now. Still, with the rapid growth of quantum computing and AI, even current standards may eventually be at risk.

Because hashing is one-way, you can’t directly “reverse” a digest. In practice, recovery relies on searching for a matching input: either by computing hashes for candidate plaintexts (dictionary or brute-force attacks) or by using precomputed lookup tables/rainbow tables. When a candidate’s computed hash equals the target digest, that candidate is the likely original plaintext.

Stage 1: MD5

The target digest is an MD5 hash. I used an online lookup service (CrackStation) to search their database of known plaintext–hash pairs. CrackStation matched the hash and returned the original password: password123.

You can crack this kind of hash with tools like hashcat or john using a large wordlist (e.g., rockyou.txt)

After submitting password123 to the service, the server responded:

Welcome!! Looking For the Secret?

We have identified a hash: 482c811da5d5b4bc6d497ffa98491e38
Enter the password for identified hash: password123
Correct! You've cracked the MD5 hash with no secret found!

Flag is yet to be revealed!! Crack this hash: b7a875fc1ea228b9061041b7cec4bd3c52ab3ce3
Enter the password for the identified hash:

Stage 2: SHA-1

I fed the new hash (b7a875fc1ea228b9061041b7cec4bd3c52ab3ce3) to the same identification tools. Hashes.com and other identifiers indicated this is likely SHA-1 (40 hex characters).

Using CrackStation, the hash resolved to letmein.

Stage 3: SHA-256

Submitting letmein to the service produced:

We have identified a hash: 482c811da5d5b4bc6d497ffa98491e38
Enter the password for identified hash: password123
Correct! You've cracked the MD5 hash with no secret found!

Flag is yet to be revealed!! Crack this hash: b7a875fc1ea228b9061041b7cec4bd3c52ab3ce3
Enter the password for the identified hash: letmein
Correct! You've cracked the SHA-1 hash with no secret found!

Almost there!! Crack this hash: 916e8c4f79b25028c9e467f1eb8eee6d6bbdff965f9928310ad30a8d88697745
Enter the password for the identified hash:

The next hash (916e8c4f79b25028c9e467f1eb8eee6d6bbdff965f9928310ad30a8d88697745) is 64 hex characters long, so I treated it as SHA-256

Again using CrackStation (and wordlist-based cracking tools if needed), it resolved to qwerty098.

:::note[⚡ Raikiri] 🎉 Flag pwned! The final hash was cracked, and the flag is now obtained. All stages successfully cleared. :::

:::note[💡 TL;DR / Lesson Learned] Weak passwords = easy cracks. All hashes in this challenge were broken using public databases. Always use strong, unique passwords, don’t give attackers a free pass! :::

🔐 CryptoHack - Modular Arithmetic

Tue, 04 Mar 2025 00:00:00 GMT

Greatest Common Divisor

The Greatest Common Divisor (GCD), sometimes known as the highest common factor, is the largest number which divides two positive integers (a,b).

For a=12,b=8 we can calculate the divisors of {1,2,3,4,6,12} and the divisors of {1,2,4,8}. Comparing these two, we see that gcd(a,b)=4.

Now imagine we take a=11,b=17. Both a and b are prime numbers. As a prime number has only itself and 1 as divisors, gcd(a,b)=1.

We say that for any two integers a,b, if gcd(a,b)=1 then a and b are coprime integers.

If a and b are prime, they are also coprime. If a is prime and b<a then a and b are coprime.

:::note Think about the case for a prime and b>a, why are these not necessarily coprime :::

There are many tools to calculate the GCD of two integers, but for this task we recommend looking up Euclid's Algorithm.

Try coding it up; it's only a couple of lines. Use a=12,b=8 to test it.

Now calculate gcd(a,b) for a=66528,b=52920 and enter it below.

Solution :

# Function to return gcd of a and b 
def gcd(a, b): 
  if a == 0 : 
      return b 
   
  return gcd(b%a, a) # This will loop until a == 0

a = 66528
b = 52920
print("gcd(", a , "," , b, ") = ", gcd(a, b))

:::note[FLAG] By running this script, we get the flag. 🎯 :::

Extended GCD

Let a and b be positive integers. The extended Euclidean algorithm is an efficient way to find integers u,v such that

a⋅u+b⋅v=gcd(a,b)

:::note Later, when we learn to decrypt RSA ciphertexts, we will need this algorithm to calculate the modular inverse of the public exponent. ::: Using the two primes p=26513,q=32321, find the integers u,v such that

p⋅u+q⋅v=gcd(p,q)

Enter whichever of u and v is the lower number as the flag.

:::note Knowing that p,q are prime, what would you expect gcd(p,q) to be For more details on the extended Euclidean algorithm, check out this page

Solution :

# Extended Euclidean Algorithm to find gcd and coefficients (u, v) such that:
# a*u + b*v = gcd(a, b)
def extended_gcd(a, b):
  # Base case: if a is 0, gcd is b, and the coefficients are (0, 1)
  if a == 0:
      return (b, 0, 1)
  else:
       # Recursively apply the extended Euclidean algorithm
      g, x, y = extended_gcd(b % a, a)
      return (g, y - (b // a) * x, x)

p = 26513
q = 32321

gcd, u, v = extended_gcd(p, q)
print("gcd:", gcd)
print("u:", u)
print("v:", v)

:::note[FLAG] By running this script, we get the flag. 🎯 :::

Modular Arithmetic 1

Imagine you lean over and look at a cryptographer's notebook. You see some notes in the margin:

4 + 9 = 1
5 - 7 = 10
2 + 3 = 5

At first you might think they've gone mad. Maybe this is why there are so many data leaks nowadays you'd think, but this is nothing more than modular arithmetic modulo 12 (albeit with some sloppy notation).

You may not have been calling it modular arithmetic, but you've been doing these kinds of calculations since you learnt to tell the time (look again at those equations and think about adding hours).

Formally, "calculating time" is described by the theory of congruences. We say that two integers are congruent modulo m if a ≡ b mod m. Another way of saying this, is that when we divide the integer a by m, the remainder is b. This tells you that if m divides a (this can be written as m∣a) then a ≡ 0 mod m.

Calculate the following integers:

11 ≡ x mod 6
8146798528947 ≡ y mod 17

The solution is the smaller of the two integers, (x,y), you obtained after reducing by the modulus.

Solution :

# First congruence
x = 11 % 6

# Second congruence
y = 8146798528947 % 17

# Output results
print("x =", x)
print("y =", y)
print("Smaller of the two =", min(x, y))

:::note[FLAG] By running this script, we get the flag. 🎯 :::

Modular Arithmetic 2

We'll pick up from the last challenge and imagine we've picked a modulus p, and we will restrict ourselves to the case when p is prime.

:::NOTE If the modulus is not prime, the set of integers modulo n define a ring. :::

A finite field Fₚ is the set of integers 0, 1, ..., p − 1, and under both addition and multiplication, there are inverse elements b₊ and bₓfor every element a in the set, such that: a + b₊ = 0 and a · bₓ = 1

:::note Note that the identity element for addition and multiplication is different! This is because the identity when acted with the operator should do nothing: a + 0 = a and a ⋅ 1 = a. :::

Let's say we pick p = 17. Calculate 3¹⁷ mod 17. Now do the same but with 5¹⁷ mod 17.

What would you expect to get for 7¹⁶ mod 17 Try calculating that.

This interesting fact is known as Fermat's Little Theorem. We'll be needing this (and its generalizations) when we look at RSA cryptography.

Now take the prime p = 65537. Calculate 27324678765⁴⁶⁵⁵³⁶ mod 65537.

Did you need a calculator

Solution :

# Fermat's Little Theorem demonstrations
p1 = 17

# 3^17 mod 17
res1 = pow(3, 17, p1)
print("3^17 mod 17 =", res1)

# 5^17 mod 17
res2 = pow(5, 17, p1)
print("5^17 mod 17 =", res2)

# 7^16 mod 17
res3 = pow(7, 16, p1)
print("7^16 mod 17 =", res3)

# Now using the large prime p = 65537
p2 = 65537
base = pow(27324678765, 4, p2)
res4 = pow(base, 65536, p2)
print("27324678765^4^65536 mod 65537 =", res4) 

# This script shows that for a prime p and integer a not divisible by p:
# a^(p-1) ≡ 1 (mod p)
# Hence answer is 1

:::note[FLAG] By running this script, we get the flag. 🎯 :::

Modular Inverting

Solution :

# Find d such that (3 * d) % 13 == 1

g = 3
p = 13

# Try each number from 1 to 12 to see which one gives (3 * d) % 13 = 1
for d in range(1, p):
  if (g * d) % p == 1:
      print(f"The modular inverse of {g} mod {p} is: {d}")
      break

:::note[FLAG] By running this script, we get the flag. 🎯 :::

Quadratic Residues

Find the quadratic residue and then calculate its square root. Of the two possible roots, submit the smaller one as the flag.

p = 29 ints=[14, 6, 11]

Solution :

p = 29
numbers = [14, 6, 11]

# Loop through each number in the list
for x in numbers:
   # Try every number a from 1 to p-1
  for a in range(1, p):
      if (a * a) % p == x:
          # If found, x is a quadratic residue
          print(f"{x} is a square (quadratic residue) mod {p}")
          print(f"Square roots: {a} and {p - a}")
          print(f"Smaller root to submit as flag: {min(a, p - a)}")
          break
  else:
      print(f"{x} is NOT a square mod {p}")

:::note[FLAG] By running this script, we get the flag. 🎯 :::

Legendre Symbol

Before looking at Legendre's symbol, let's take a brief detour to see an interesting property of quadratic (non-)residues:

Quadratic Residue * Quadratic Residue = Quadratic Residue
Quadratic Residue * Quadratic Non-residue = Quadratic Non-residue
Quadratic Non-residue * Quadratic Non-residue = Quadratic Residue

Want an easy way to remember this Replace "Quadratic Residue" with +1 and "Quadratic Non-residue" with −1, all three results are the same!

Given an integer a and an odd prime p, the Legendre symbol (a/p) tells you:

(a/p) = 1 if a is a quadratic residue modulo p (i.e., there exists some x such that x² ≡ a mod p)

(a/p) = -1 if a is not a quadratic residue modulo p

(a/p) = 0 if a ≡ 0 mod p

Challenge file: Output.txt

Solution :

p = 101524035174539890485408575671085261788758965189060164484385690801466167356667036677932998889725476582421738788500738738503134356158197247473850273565349249573867251280253564698939768700489401960767007716413932851838937641880157263936985954881657889497583485535527613578457628399173971810541670838543309159139

ints = [25081841204695904475894082974192007718642931811040324543182130088804239047149283334700530600468528298920930150221871666297194395061462592781551275161695411167049544771049769000895119729307495913024360169904315078028798025169985966732789207320203861858234048872508633514498384390497048416012928086480326832803, 45471765180330439060504647480621449634904192839383897212809808339619841633826534856109999027962620381874878086991125854247108359699799913776917227058286090426484548349388138935504299609200377899052716663351188664096302672712078508601311725863678223874157861163196340391008634419348573975841578359355931590555, 17364140182001694956465593533200623738590196990236340894554145562517924989208719245429557645254953527658049246737589538280332010533027062477684237933221198639948938784244510469138826808187365678322547992099715229218615475923754896960363138890331502811292427146595752813297603265829581292183917027983351121325, 14388109104985808487337749876058284426747816961971581447380608277949200244660381570568531129775053684256071819837294436069133592772543582735985855506250660938574234958754211349215293281645205354069970790155237033436065434572020652955666855773232074749487007626050323967496732359278657193580493324467258802863, 4379499308310772821004090447650785095356643590411706358119239166662089428685562719233435615196994728767593223519226235062647670077854687031681041462632566890129595506430188602238753450337691441293042716909901692570971955078924699306873191983953501093343423248482960643055943413031768521782634679536276233318, 85256449776780591202928235662805033201684571648990042997557084658000067050672130152734911919581661523957075992761662315262685030115255938352540032297113615687815976039390537716707854569980516690246592112936796917504034711418465442893323439490171095447109457355598873230115172636184525449905022174536414781771, 50576597458517451578431293746926099486388286246142012476814190030935689430726042810458344828563913001012415702876199708216875020997112089693759638454900092580746638631062117961876611545851157613835724635005253792316142379239047654392970415343694657580353333217547079551304961116837545648785312490665576832987, 96868738830341112368094632337476840272563704408573054404213766500407517251810212494515862176356916912627172280446141202661640191237336568731069327906100896178776245311689857997012187599140875912026589672629935267844696976980890380730867520071059572350667913710344648377601017758188404474812654737363275994871, 4881261656846638800623549662943393234361061827128610120046315649707078244180313661063004390750821317096754282796876479695558644108492317407662131441224257537276274962372021273583478509416358764706098471849536036184924640593888902859441388472856822541452041181244337124767666161645827145408781917658423571721, 18237936726367556664171427575475596460727369368246286138804284742124256700367133250078608537129877968287885457417957868580553371999414227484737603688992620953200143688061024092623556471053006464123205133894607923801371986027458274343737860395496260538663183193877539815179246700525865152165600985105257601565]

for a in ints:
    # Compute Legendre symbol
    legendre = pow(a, (p-1)//2, p)
    if legendre == 1:
        print(f"Found quadratic residue: {a}")
        
        sqrt_a = pow(a, (p+1)//4, p)
        
        # Pick the larger of the two roots
        root = max(sqrt_a, p - sqrt_a)
        
        print(f"Flag is: {root}")
        break

:::note[FLAG] By running this script, we get the flag. 🎯 :::

Modular Square Root

def tonelli_shanks(a, p):
    """ 
    Find a square root of a mod p using the Tonelli-Shanks algorithm.
    p must be an odd prime.
    """
    
    # Step 1: Find Q and S such that p-1 = Q * 2^S
    S = 0  # Initialize S to 0
    Q = p - 1  # Start with Q = p-1
    while Q % 2 == 0:
        Q //= 2  # Keep dividing Q by 2 while it's even
        S += 1  # Count how many times 2 divides p-1
    
    # Step 2: Find a quadratic non-residue z
    # A quadratic non-residue z is a number such that z^(p-1)/2 ≡ -1 (mod p)
    z = 2  # Start from z = 2 and check if it's a quadratic non-residue
    while pow(z, (p - 1) // 2, p) != p - 1:  # z^(p-1)/2 mod p should be -1 (p-1 mod p)
        z += 1  # Increment z until a non-residue is found

    # Step 3: Initialize variables for the Tonelli-Shanks algorithm
    M = S  # Set M to S, which is the exponent of 2 in the factorization of p-1
    c = pow(z, Q, p)  # Compute c = z^Q mod p
    t = pow(a, Q, p)  # Compute t = a^Q mod p (this is used to track progress)
    R = pow(a, (Q + 1) // 2, p)  # Compute R = a^((Q+1)//2) mod p as the initial guess for the root

    # Step 4: Loop until t == 1, which means we have found a square root
    while t != 1:
        # Find the smallest i such that t^(2^i) ≡ 1 mod p
        i = 0  # Start the exponent count
        temp = t  # Use a temporary variable to check powers of t
        while temp != 1:
            temp = pow(temp, 2, p)  # Compute t^(2^i) mod p by squaring t
            i += 1  # Increment i (the exponent of 2)
            if i == M:  # If we have tried all possible exponents, no root exists
                return None  # No square root exists, so return None

        # Step 5: Update variables to improve the guess for the root
        b = pow(c, 2 ** (M - i - 1), p)  # Compute b = c^(2^(M-i-1)) mod p
        M = i  # Update M to the current value of i
        c = pow(b, 2, p)  # Update c = b^2 mod p (this helps in the next iteration)
        t = (t * c) % p  # Update t = t * c mod p (this moves us closer to 1)
        R = (R * b) % p  # Update R to the new value, refining the root approximation

    # When t becomes 1, R is the square root of a mod p
    return R  # Return the square root

# Given values for a and p
a = 8479994658316772151941616510097127087554541274812435112009425778595495359700244470400642403747058566807127814165396640215844192327900454116257979487432016769329970767046735091249898678088061634796559556704959846424131820416048436501387617211770124292793308079214153179977624440438616958575058361193975686620046439877308339989295604537867493683872778843921771307305602776398786978353866231661453376056771972069776398999013769588936194859344941268223184197231368887060609212875507518936172060702209557124430477137421847130682601666968691651447236917018634902407704797328509461854842432015009878011354022108661461024768
p = 30531851861994333252675935111487950694414332763909083514133769861350960895076504687261369815735742549428789138300843082086550059082835141454526618160634109969195486322015775943030060449557090064811940139431735209185996454739163555910726493597222646855506445602953689527405362207926990442391705014604777038685880527537489845359101552442292804398472642356609304810680731556542002301547846635101455995732584071355903010856718680732337369128498655255277003643669031694516851390505923416710601212618443109844041514942401969629158975457079026906304328749039997262960301209158175920051890620947063936347307238412281568760161

# Solve for the square root
sqrt_a = tonelli_shanks(a, p)

# Output the result
if sqrt_a is not None:
    # If a square root exists, print the smaller root (between sqrt_a and p - sqrt_a)
    smaller_root = min(sqrt_a, p - sqrt_a)
    print(f"Square root found! The smaller root is:\n{smaller_root}")
else:
    # If no square root exists, print a message
    print("No square root exists.")

:::note[FLAG] By running this script, we get the flag. 🎯 :::

🔐 CryptoHack - Introduction to CryptoHack

Tue, 25 Feb 2025 00:00:00 GMT

Finding Flags

Each challenge is designed to help introduce you to a new piece of cryptography. Solving a challenge will require you to find a "flag". These flags will usually be in the format crypto{y0ur_f1rst_fl4g}. The flag format helps you verify that you found the correct solution. Try submitting this flag into the form below to solve your first challenge.

:::note[FLAG] The flag is straightforward. Just submit it to complete the challenge! Flag: crypto{y0ur_f1rst_fl4g} :::

Great Snakes

Modern cryptography involves code, and code involves coding. CryptoHack provides a good opportunity to sharpen your skills. Of all modern programming languages, Python 3 stands out as ideal for quickly writing cryptographic scripts and attacks. For more information about why we think Python is so great for this, please see the FAQ. Run the attached Python script and it will output your flag.

Challenge files:

great_snakes.py

Resources:

Downloading Python

great_snakes.py :

#!/usr/bin/env python3
import sys
# import this

if sys.version_info.major == 2:
  print("You are running Python 2, which is no longer supported. Please update to Python 3.")

ords = [81, 64, 75, 66, 70, 93, 73, 72, 1, 92, 109, 2, 84, 109, 66, 75, 70, 90, 2, 92, 79]

print("Here is your flag:")
print("".join(chr(o ^ 0x32) for o in ords))

This Python script deciphers an encoded message by XORing a list of numerical values with 0x32 (decimal 50) and then converting the result into a readable string. :::tip For more details on XOR operations, check out this resource: Basics of XORing :::

:::note[FLAG] By running this script, we get the flag. 🎯 Flag: crypto{z3n_0f_pyth0n} :::

ASCII

ASCII is a 7-bit encoding standard which allows the representation of text using the integers 0-127. Using the below integer array, convert the numbers to their corresponding ASCII characters to obtain a flag. :::tip[] In Python, the chr() function can be used to convert an ASCII ordinal number to a character (the ord() function does the opposite). :::

[99, 114, 121, 112, 116, 111, 123, 65, 83, 67, 73, 73, 95, 112, 114, 49, 110, 116, 52, 98, 108, 51, 125]

This challenge involves using the chr() function in Python to convert the given decimal numbers into their corresponding ASCII characters and construct the flag.

:::tip For more details on ASCII, check out this resource: ASCII

For more details on chr() function in Python, check out this resource: For more details check the FAQ :::

Solution :

ascii_values = [99, 114, 121, 112, 116, 111, 123, 65, 83, 67, 73, 73, 95, 112, 114, 49, 110, 116, 52, 98, 108, 51, 125]
flag = ''.join(chr(i) for i in ascii_values)
print(flag)

:::note[FLAG] By running this script, we get the flag. 🎯 Flag: crypto{ASCII_pr1nt4bl3} :::

Hex

When we encrypt something the resulting ciphertext commonly has bytes which are not printable ASCII characters. If we want to share our encrypted data, it's common to encode it into something more user-friendly and portable across different systems.

Hexadecimal can be used in such a way to represent ASCII strings. First each letter is converted to an ordinal number according to the ASCII table (as in the previous challenge). Then the decimal numbers are converted to base-16 numbers, otherwise known as hexadecimal. The numbers can be combined together, into one long hex string.

Included below is a flag encoded as a hex string. Decode this back into bytes to get the flag.

63727970746f7b596f755f77696c6c5f62655f776f726b696e675f776974685f6865785f737472696e67735f615f6c6f747d

:::note In Python, the bytes.fromhex() function can be used to convert hex to bytes. The .hex() instance method can be called on byte strings to get the hex representation. For more details check the FAQ

::: Resources:

Solution : The hexadecimal string can be converted to bytes using Python's bytes.fromhex() method, then decoded to a readable string using .decode().

hex_value = '63727970746f7b596f755f77696c6c5f62655f776f726b696e675f776974685f6865785f737472696e67735f615f6c6f747d'
flag = bytes.fromhex(hex_value).decode()
print(flag)

:::note[FLAG] By running this script, we get the flag. 🎯 Flag: crypto{You_will_be_working_with_hex_strings_a_lot} :::

Base64

Another common encoding scheme is Base64, which allows us to represent binary data as an ASCII string using an alphabet of 64 characters. One character of a Base64 string encodes 6 binary digits (bits), and so 4 characters of Base64 encode three 8-bit bytes.

Base64 is most commonly used online, so binary data such as images can be easily included into HTML or CSS files.

Take the below hex string, decode it into bytes and then encode it into Base64.

72bca9b68fc16ac7beeb8f849dca1d8a783e8acf9679bf9269f7bf

:::note In Python, after importing the base64 module with import base64, you can use the base64.b64encode() function. Remember to decode the hex first as the challenge description states. For more details check the FAQ :::

Solution : We use Python's base64 module to decode the string.

import base64

base64_value = '72bca9b68fc16ac7beeb8f849dca1d8a783e8acf9679bf9269f7bf'

# Convert hex to bytes
flag = bytes.fromhex(base64_value)

# Encode bytes to standard Base64
flag = base64.b64encode(flag).decode()  # Decode for readability
print(flag)

:::note[FLAG] By running this script, we get the flag. 🎯 Flag: crypto/Base+64+Encoding+is+Web+Safe/ :::

Bytes and Big Integers

Cryptosystems like RSA works on numbers, but messages are made up of characters. How should we convert our messages into numbers so that mathematical operations can be applied

The most common way is to take the ordinal bytes of the message, convert them into hexadecimal, and concatenate. This can be interpreted as a base-16/hexadecimal number, and also represented in base-10/decimal.

To illustrate:

message: HELLO
ascii bytes: [72, 69, 76, 76, 79]
hex bytes: [0x48, 0x45, 0x4c, 0x4c, 0x4f]
base-16: 0x48454c4c4f
base-10: 310400273487

:::note Python's PyCryptodome library implements this with the methods bytes_to_long() and long_to_bytes(). You will first have to install PyCryptodome and import it with from Crypto.Util.number import *. For more details check the FAQ. :::

Convert the following integer back into a message:

11515195063862318899931685488813747395775516287289682636499965282714637259206269

Solution :

from Crypto.Util.number import *

message = 11515195063862318899931685488813747395775516287289682636499965282714637259206269

flag = long_to_bytes(message) # Converts the large integer into its original byte representation.
print(flag.decode())  # decode

:::note[FLAG] By running this script, we get the flag. 🎯 Flag: crypto{3nc0d1n6_4ll_7h3_w4y_d0wn} :::

XOR Starter

XOR is a bitwise operator which returns 0 if the bits are the same, and 1 otherwise. In textbooks the XOR operator is denoted by ⊕, but in most challenges and programming languages you will see the caret ^ used instead.

A	B	Output
0	0	0
0	1	1
1	0	1
1	1	0

For longer binary numbers we XOR bit by bit: 0110 ^ 1010 = 1100. We can XOR integers by first converting the integer from decimal to binary. We can XOR strings by first converting each character to the integer representing the Unicode character.

Given the string label, XOR each character with the integer 13. Convert these integers back to a string and submit the flag as crypto{new_string}.

:::tip The Python pwntools library has a convenient xor() function that can XOR together data of different types and lengths. But first, you may want to implement your own function to solve this :::

Solution :

from pwn import *

# Given string
given_string = "label"

# XOR each character with 13 using pwn's xor function
xor_result = xor(given_string, 13)

# Format the flag
flag = f"crypto{{{xor_result.decode()}}}"
print(flag)

:::note[FLAG] We XOR each character with 13 using pwn's xor function. By running this script, we get the flag. 🎯 Flag: crypto{aloha} :::

XOR Properties

In the last challenge, you saw how XOR worked at the level of bits. In this one, we're going to cover the properties of the XOR operation and then use them to undo a chain of operations that have encrypted a flag. Gaining an intuition for how this works will help greatly when you come to attacking real cryptosystems later, especially in the block ciphers category.

There are four main properties we should consider when we solve challenges using the XOR operator

Commutative: A ⊕ B = B ⊕ A
Associative: A ⊕ (B ⊕ C) = (A ⊕ B) ⊕ C
Identity: A ⊕ 0 = A
Self-Inverse: A ⊕ A = 0

Let's break this down. Commutative means that the order of the XOR operations is not important. Associative means that a chain of operations can be carried out without order (we do not need to worry about brackets). The identity is 0, so XOR with 0 "does nothing", and lastly something XOR'd with itself returns zero.

Let's put this into practice! Below is a series of outputs where three random keys have been XOR'd together and with the flag. Use the above properties to undo the encryption in the final line to obtain the flag.

KEY1 = a6c8b6733c9b22de7bc0253266a3867df55acde8635e19c73313
KEY2 ^ KEY1 = 37dcb292030faa90d07eec17e3b1c6d8daf94c35d4c9191a5e1e
KEY2 ^ KEY3 = c1545756687e7573db23aa1c3452a098b71a7fbf0fddddde5fc1
FLAG ^ KEY1 ^ KEY3 ^ KEY2 = 04ee9855208a2cd59091d04767ae47963170d1660df7f56f5faf

:::tip Before you XOR these objects, be sure to decode from hex to bytes. :::

Solution :

from pwn import *

# Given values
KEY1 = "a6c8b6733c9b22de7bc0253266a3867df55acde8635e19c73313"
KEY2_XOR_KEY1 = "37dcb292030faa90d07eec17e3b1c6d8daf94c35d4c9191a5e1e"
KEY2_XOR_KEY3 = "c1545756687e7573db23aa1c3452a098b71a7fbf0fddddde5fc1"
FLAG_XOR_ALL = "04ee9855208a2cd59091d04767ae47963170d1660df7f56f5faf"

# Let's decode them from hex to bytes first.
KEY1 = bytes.fromhex(KEY1)
KEY2_XOR_KEY1 = bytes.fromhex(KEY2_XOR_KEY1)
KEY2_XOR_KEY3 = bytes.fromhex(KEY2_XOR_KEY3)
FLAG_XOR_ALL = bytes.fromhex(FLAG_XOR_ALL)

# We first derive KEY2 using KEY2 = (KEY2 ^ KEY1) ^ KEY1 since x ^ x = 0
KEY2 = xor(KEY2_XOR_KEY1, KEY1)

# Then we derive key 3
KEY3 = xor(KEY2_XOR_KEY3, KEY2)

# Flag
FLAG = xor(FLAG_XOR_ALL, xor(KEY1, xor(KEY2, KEY3)))

flag = FLAG.decode()
print(flag)

:::note[FLAG] Using the associative property of XOR, we successfully combined the keys to extract the flag. Running this script reveals the flag: 🎯 Flag: crypto{x0r_i5_ass0c1at1v3}. :::

Favorite Byte

For the next few challenges, you'll use what you've just learned to solve some more XOR puzzles. I've hidden some data using XOR with a single byte, but that byte is a secret. Don't forget to decode from hex first.

73626960647f6b206821204f21254f7d694f7624662065622127234f726927756d

Solution :

from pwn import *

# Given hex-encoded data (XOR-encrypted with a single unknown byte)
data = bytes.fromhex("73626960647f6b206821204f21254f7d694f7624662065622127234f726927756d")

# Brute-force the single-byte key by trying all possible values (0-255)
for key in range(256):
    decrypted = xor(data, key)  # XOR the data with the key candidate
    
    # Check if the decrypted text starts with "crypto" (expected flag format)
    if decrypted.decode().startswith("crypto"): 
        print(f"Key: {key}, Flag: {decrypted.decode()}")  # Print the key and extracted flag
        break  # Stop once the correct key is found

:::note[FLAG] Using brute-force, we successfully identified the single-byte key and decrypted the message to reveal the flag. Running this script reveals the flag: 🎯 Flag: crypto{0x10_15_my_f4v0ur173_by7e}. :::

You either know, XOR you don't

I've encrypted the flag with my secret key, you'll never be able to guess it.

:::tip Remember the flag format and how it might help you in this challenge! :::

0e0b213f26041e480b26217f27342e175d0e070a3c5b103e2526217f27342e175d0e077e263451150104

Solution :

from pwn import *

# Given encrypted flag in hex format
flag_hex = "0e0b213f26041e480b26217f27342e175d0e070a3c5b103e2526217f27342e175d0e077e263451150104"

# Convert hex-encoded flag to bytes
flag_bytes = bytes.fromhex(flag_hex)

# Since we know the flag format starts with "crypto{", we use it to determine the XOR key
partial_key = xor(flag_bytes[:7], b"crypto{")  # Extract part of the key using known plaintext
# Output: b'myXORke+y' (partial key discovered)

# Observing the pattern, I guessed the key is "myXORkey"
key = b"myXORkey"

# Decrypt the flag by XORing with the derived key
decrypted_flag = xor(flag_bytes, key)

# Print the decrypted flag
print(decrypted_flag.decode())

:::note[FLAG] This demonstrates how XOR encryption can be broken when partial plaintext is known. Running this script reveals the flag: 🎯 Flag: crypto{1f_y0u_Kn0w_En0uGH_y0u_Kn0w_1t_4ll}. :::

Conclusion

This walkthrough covered encoding (Hex, Base64) and basic XOR operations, essential for cryptographic challenges. Understanding these fundamentals helps in tackling more advanced cryptography problems. 🚀