Description
The numbers... what do they mean? An image of numbers is provided -- decode it to find the flag.
Setup
Download the image file from the challenge page.
Solution
- Step 1Apply A1Z26 substitutionThe numbers in the image map directly to alphabet positions: 1=A, 2=B, 3=C ... 26=Z. Read off each number and replace it with its corresponding letter. Numbers inside curly braces are also encoded. 'PICOCTF' is the prefix (16=P, 9=I, 3=C, 15=O, 3=C, 20=T, 6=F) and the content inside the braces spells THENUMBERSMASON.
Learn more
A1Z26 (also called "Number-to-Letter substitution") is perhaps the simplest possible substitution cipher: each letter in the alphabet is assigned its ordinal position, so A=1, B=2, C=3, ... Z=26. To decode, you simply replace each number with its corresponding letter. There is no key and no ambiguity -- it is deterministic and universal.
This is technically a substitution cipher -- a cipher where each symbol is replaced by another symbol according to a fixed mapping. A1Z26 is the weakest possible substitution cipher because the mapping is publicly known and requires no key. Real historical ciphers like the Caesar cipher shift the mapping, and the Vigenere cipher uses a repeating key to vary the shift, but A1Z26 is even simpler than either.
The challenge title "The Numbers, Mason" is a reference to the 2010 video game Call of Duty: Black Ops, where an antagonist repeatedly asks the protagonist to decode a sequence of numbers. This has become a popular internet meme, making number-substitution puzzles instantly recognizable to the CTF community.
To decode quickly in Python:
chr(n + 64)converts a number 1-26 to its corresponding uppercase letter (sinceord('A') == 65). CyberChef also has a built-in "A1Z26 Cipher Decode" recipe that handles this automatically.
Flag
PICOCTF{THENUMBERSMASON}
A1Z26 is one of the simplest possible substitution ciphers -- numbers directly index into the alphabet.