rail-fence picoCTF 2022 Solution

Published: July 20, 2023

Description

A message was encrypted with a rail fence cipher using 4 rails. Decode it and wrap the plaintext in picoCTF{...}.

Read the ciphertext from message.txt.

In CyberChef, load Rail Fence Cipher Decode with Key = 4 (the rail count) and Offset = 0. Paste the text and read the output.

bash
less message.txt
bash
# CyberChef: Rail Fence Cipher Decode → Key 4, Offset 0

Solution

Want to try it yourself first?

The guided walkthrough reveals hints one step at a time.

Walk me through it
  1. Step 1
    Apply Rail Fence decoding
    Observation
    I noticed the challenge description explicitly states the message was encrypted with a Rail Fence cipher using 4 rails, which told me the exact cipher and key parameter needed, so the only action required was to run Rail Fence Cipher Decode with Key = 4 in CyberChef.
    The challenge states 4 rails. In CyberChef, the Rail Fence Cipher Decode operation takes Key = rail count (4 here) and Offset = 0 unless the challenge specifies otherwise.

    A worked example on the 5-character plaintext "WECRE" with 3 rails illustrates the pattern. Writing it across the encryption fence looks like:

    rail 0:  W . . . E
    rail 1:  . E . R .
    rail 2:  . . C . .
    
    read row by row -> "WE" + "ER" + "C" = "WEERC"

    To decode "WEERC", count how many characters land on each rail (2, 2, 1), slice the ciphertext into those chunks ("WE", "ER", "C"), then read down the diagonals: position 0 is rail 0 → W, position 1 is rail 1 → E, position 2 is rail 2 → C, position 3 is rail 1 → R, position 4 is rail 0 → E. Output: "WECRE" (the original plaintext, recovered). The full picoCTF flag is the same operation with Key = 4 across the entire ciphertext.

    For more on classical ciphers and how to spot which encoding is in play, see the CTF Encodings guide.

    What didn't work first

    Tried: Trying Key = 2 or Key = 3 before reading the challenge description

    Rail Fence with the wrong number of rails produces scrambled output that looks like random English letters - no error is thrown and CyberChef silently returns garbage. The challenge explicitly states 4 rails, so Key must be 4; trying smaller values just wastes time pattern-matching against non-plaintext.

    Tried: Using Caesar Cipher Decode in CyberChef because the ciphertext looks like shifted letters

    The Rail Fence cipher is a transposition cipher, not a substitution cipher - letter frequencies are preserved rather than shifted. Caesar Decode will produce output with the same letter distribution but wrong letter ordering, never yielding readable English regardless of the rotation value chosen.

    Learn more

    The Rail Fence cipher is a classical transposition cipher - it rearranges the letters of the plaintext rather than replacing them. The message is written diagonally down and up across a set number of "rails" (rows), then read off row by row. For example, with 3 rails, "WEAREDISCOVERED" becomes three rows read in a zigzag pattern.

    Unlike substitution ciphers, every letter in a transposition cipher is present in the ciphertext - just in a different position. This means letter frequency analysis won't help; you need to know (or guess) the structure. With only a small key space (number of rails is usually 2-10), brute force is trivial.

    CyberChef is a browser-based Swiss army knife for encoding, decoding, and transforming data. It supports dozens of classical ciphers, encoding schemes, and data format conversions - all without installing anything. It's an essential tool for CTF challenges and real-world forensics work.

    To decode manually without a tool: divide the ciphertext into four rows based on the zigzag pattern, then read the characters diagonally. For a 4-rail fence, the top and bottom rails contain the fewest characters (they only touch the zigzag at peaks and valleys), while the middle rails contain more. The exact character count per rail depends on the message length - computing this by hand for short messages is feasible, which is why understanding the algorithm is valuable even when you have CyberChef available.

    Classical ciphers like Rail Fence, Caesar, Vigenere, and Playfair are frequently tested in CTF competitions because they require pattern recognition and algorithmic thinking rather than brute computation. Recognizing which cipher was used from ciphertext characteristics (letter frequency preserved but positions scrambled for transposition; frequency distribution shifted for substitution; unusual character sets for encoding schemes) is a key skill for the "crypto" category in CTFs.

  2. Step 2
    Wrap the flag
    Observation
    I noticed the Rail Fence decode output produces the plaintext directly with no further transformation needed, which meant the only remaining step was to copy the recovered text and wrap it in the picoCTF{} format as the challenge requires.
    The decoded sentence is already in the picoCTF format; copy it as-is.
    Learn more

    Once a transposition cipher is reversed, the plaintext is fully recovered with no ambiguity - every letter returns to its original position. This is in contrast to substitution ciphers, where frequency analysis gives probabilistic guesses that may need manual correction.

    The Rail Fence cipher was historically used during the American Civil War as a simple field cipher. While trivially broken today (even by hand with the right number of rails), it illustrates the fundamental principle that rearranging data is not the same as hiding it. Modern transposition techniques form one component of block cipher modes like CBC, but are always combined with substitution for security.

    In modern symmetric encryption, the AES block cipher combines both substitution (the SubBytes step applies a non-linear S-box to each byte) and permutation/transposition (the ShiftRows and MixColumns steps move bytes between positions). This combination - known as a substitution-permutation network - is what makes AES resistant to both frequency analysis and positional attacks. Neither substitution nor transposition alone is secure; the power comes from iterating both together across multiple rounds.

    If you encounter a ciphertext in a CTF and are unsure which classical cipher was used, the Index of Coincidence (IC) can help distinguish transposition from substitution. Transposition ciphers preserve the original letter frequency distribution (IC matches plaintext language), while monoalphabetic substitution ciphers also preserve frequencies but shift them. Polyalphabetic ciphers like Vigenere produce a lower, flatter IC. These statistical tests guide cipher identification before you attempt decryption.

Interactive tools
  • Rail Fence CipherEncrypt or decrypt rail fence (zigzag) transposition ciphers. Brute-force across rail counts and offsets to find the right setting fast.

Flag

Reveal flag

picoCTF{WH3R3_D035_7H3_F3NC3_8361N_4ND_3ND_4A76...}

Rail fence is a simple transposition cipher; once you know the number of rails, decoding is straightforward.

Key takeaway

Transposition ciphers like Rail Fence rearrange plaintext letters into a different order without changing them, which means letter frequency is fully preserved and frequency analysis provides no traction. The only unknowns are the structural parameters (number of rails and offset), and because those key spaces are tiny, brute force across all possible values is nearly instant. Modern block ciphers gain security by combining transposition with non-linear substitution across many rounds, since neither technique alone withstands systematic analysis.

Related reading

Want more picoCTF 2022 writeups?

Tools used in this challenge

What to try next