Mod 26 picoCTF 2021 Solution

Published: April 2, 2026

Description

Cryptography can be easy, do you know what ROT13 is? cvpbPGS{arkg_gvzr_V'yy_gel_2_ebhaqf_bs_ebg13_MAZyqFQj}

Solution

Want to try it yourself first?

The guided walkthrough reveals hints one step at a time.

Walk me through it
  1. Step 1
    Apply ROT13
    Observation
    I noticed the ciphertext starts with 'cvpbPGS{', which has the same length and structure as 'picoCTF{', suggesting a fixed letter shift; counting the distance from 'c' to 'p' gives 13, and the challenge title 'Mod 26' confirmed this is ROT13.
    ROT13 rotates each letter by 13 positions in the alphabet. The tr command maps A-Z to N-ZA-M and a-z to n-za-m, effectively applying the cipher. Run the command with the ciphertext to recover the flag.
    bash
    echo "cvpbPGS{arkg_gvzr_V'yy_gel_2_ebhaqf_bs_ebg13_MAZyqFQj}" | tr 'A-Za-z' 'N-ZA-Mn-za-m'

    Expected output

    picoCTF{next_time_I'll_try_2_rounds_of_rot13_...}
    What didn't work first

    Tried: Run the tr command with 'ROT47' ranges to decode the ciphertext

    ROT47 shifts all printable ASCII characters (not just letters) by 47 positions, so it garbles underscores, digits, and braces in the flag - the output looks like random symbols instead of readable text. ROT13 only rotates the 26 letters A-Z and a-z, leaving punctuation and digits untouched, which is what the cvpbPGS{...} format requires.

    Tried: Apply the tr mapping twice, thinking two rounds of ROT13 give a stronger decode

    The flag text itself says 'next_time_I'll_try_2_rounds_of_rot13' as a joke - applying tr twice just returns the original ciphertext because ROT13 is its own inverse (13 + 13 = 26, a full cycle). A single pass of tr 'A-Za-z' 'N-ZA-Mn-za-m' is both the encrypt and decrypt operation.

    Learn more

    ROT13(rotate by 13) is a simple letter substitution cipher that replaces each letter with the one 13 positions after it in the alphabet. Since the alphabet has 26 letters, rotating by 13 twice returns to the original - making ROT13 its own inverse. Applying it to already-ROT13'd text always decodes it, with no need to switch between "encrypt" and "decrypt" modes.

    ROT13 is a special case of the Caesar cipher, which Julius Caesar historically used with a shift of 3 to protect military communications. The Caesar cipher works by shifting each letter a fixed number of positions. With only 26 possible shifts, it provides essentially no security against brute-force - but it's still commonly used online to obscure spoilers or puzzle answers without the intent to truly encrypt them.

    The tr command ("translate") is a powerful Unix utility that substitutes characters according to a mapping. The pattern tr 'A-Za-z' 'N-ZA-Mn-za-m' maps: A→N, B→O, ..., M→Z, N→A, ..., Z→M, and the same for lowercase. Every letter shifts, so the ciphertext's suffix MAZyqFQj rotates to ZNMldSDw in the decoded flag.

    The challenge title "Mod 26" hints at the mathematical underpinning: ROT13 is addition modulo 26, where each letter is treated as a number 0 to 25. Adding 13 mod 26 is the same as subtracting 13 mod 26, which is why the same operation both encrypts and decrypts.

    Recognizing ROT13 in the wild: If a ciphertext looks almost like English but with slightly shifted letters - words have the right rhythm but wrong characters - it is often ROT13 or a Caesar cipher. The word "gur" in the ciphertext above is ROT13 for "the," a giveaway. Online tools like rot13.com decode it instantly. In Wireshark, the right-click > "Decode as" menu does not include ROT13 (it is not a real encryption protocol), so a terminal command or online tool is the fastest path.

    Brute-forcing Caesar ciphers: If you suspect a Caesar cipher but do not know the shift, there are only 25 possible shifts. A quick Python loop tries all of them: for shift in range(26): print(shift, ''.join(chr((ord(c)-65+shift)%26+65) if c.isupper() else chr((ord(c)-97+shift)%26+97) if c.islower() else c for c in ciphertext)). The correct shift produces readable English. The tr command handles ROT13 specifically because it is the only Caesar variant where the same command both encodes and decodes.

Interactive tools
  • Cipher Identifier & Auto-DecoderPaste any ciphertext and the tool auto-runs every common decoder (base64, hex, Morse, ROT, Atbash, Bacon, binary, decimal, URL) and ranks the results by English-likeness.
Alternate Solution

No terminal? Paste the ciphertext directly into the ROT / Caesar Cipher tool on this site, set the shift to 13, and the flag appears instantly. The tool also has a Try all 26 shifts button that prints every possible rotation at once.

Flag

Reveal flag

picoCTF{next_time_I'll_try_2_rounds_of_rot13_...}

ROT13 is its own inverse - applying it twice returns the original text, so a single tr pass decodes the whole flag.

Key takeaway

Caesar ciphers and ROT13 are monoalphabetic substitution ciphers with a fixed shift, meaning every letter maps to exactly one other letter throughout the text. With only 26 possible shifts, brute force exhausts all possibilities in under a second, and frequency analysis of the ciphertext narrows the correct shift even faster. Recognizing cipher families from their structure (alphabet-preserving, no numeric or punctuation changes, consistent letter frequency) is a core CTF skill that transfers to Vigenere, Atbash, and other classical substitutions.

Related reading

Want more picoCTF 2021 writeups?

Tools used in this challenge

What to try next