Description
A leaked credential dump pairs usernames and encrypted passwords line-for-line. Locate the entry for `cultiris`, decode the stored password, and submit it as the flag.
Setup
Extract the archive to reveal `usernames.txt` and `passwords.txt`, which align line-by-line.
Search for the username `cultiris` to capture the correct line number.
Print the corresponding password entry and decode it from ROT13.
wget https://artifacts.picoctf.net/c/151/leak.tartar -xf leak.tar && cd leakgrep -n "cultiris" usernames.txtsed -n '378p' passwords.txtsed -n '378p' passwords.txt | caesar 13Solution
- Step 1Map the username`grep -n "cultiris" usernames.txt` reveals the account sits at line 378. Because both files are aligned, that same line number in `passwords.txt` holds the encrypted secret.
Learn more
Credential dumps(also called "combo lists") are leaked databases of usernames and passwords, often from breached websites. They frequently appear as paired text files where every line in one file corresponds to the same-numbered line in the other - a simple format that makes bulk password-spraying easy for attackers.
The
grep -nflag prints line numbers alongside matches, which is the key to linking the two files. Without-nyou would see the username but not know which line to look up in the password file. This "join by line number" pattern also appears in log analysis and data correlation tasks.In real incident response, tools like
pasteor Python'szip()are used to merge parallel files so each row contains both the username and password together - making it much easier to search for a specific user and immediately see their credential. - Step 2Retrieve the password entry`sed -n '378p' passwords.txt` prints `cvpbPGS{P7e1S_54I35_71Z3}`, an obvious substitution that still resembles the picoCTF format.
Learn more
ROT13 is immediately recognizable here because the encoded text still has the structure of the flag format -
cvpbPGSis clearlypicoCTFshifted by 13. This visual pattern recognition is a useful skill: once you know what the plaintext prefix should look like, you can identify the cipher (or encoding) just by counting the letter shift.sed -n 'Np'is the canonical shell way to print exactly one line from a file by number. Alternatives includeawk 'NR==N'orhead -N file | tail -1, but thesedform is the most concise. - Step 3Apply ROT13Running the line through `caesar 13` (from bsdgames) or any ROT13 decoder transforms it back into plaintext, yielding the final flag.
Learn more
ROT13 is a Caesar cipher with a fixed shift of 13. Because the English alphabet has 26 letters, applying ROT13 twice returns the original text - it is its own inverse. This makes it trivially reversible, which is why it was never meant for security; historically it was used on Usenet to hide spoilers or mildly offensive content from casual readers.
On Linux,
caesar 13(from thebsdgamespackage) applies the shift. Other quick methods includetr 'A-Za-z' 'N-ZA-Mn-za-m', Python'scodecs.encode(s, 'rot_13'), or any of dozens of online ROT13 tools. The cipher appears frequently in CTFs as a trivial encoding layer or as part of a multi-layer challenge.In the context of credential dumps, storing passwords in ROT13 is essentially the same as storing them in plaintext - it provides zero security. This challenge highlights why even simple obfuscation is meaningless without real cryptographic hashing (bcrypt, scrypt, Argon2) when storing passwords.
Alternate Solution
Once you have the ROT13-encoded password string, you can decode it directly in the browser with the ROT / Caesar Cipher tool. Paste the ciphertext (cvpbPGS{P7e1S_54I35_71Z3}), set the shift to 13, and the flag is revealed instantly - no terminal required.
Flag
picoCTF{...}
Because the files are line-aligned, finding the username index immediately pinpoints the paired password.