Description
A substitution cipher with no punctuation must be solved to recover a block of prose ending in the flag. Online solvers can handle the bulk of the decoding, but you’ll need to map the remaining characters manually.
Setup
Load the ciphertext into a substitution solver such as quipqiup.com.
The solver recovers nearly the entire plaintext, but the final line (the flag) includes underscores and digits that may be mangled.
Manually align the decoded letters with the ciphertext to reconstruct the flag.
Solution
Walk me through it- Step 1Leverage an automatic solverTools like quipqiup produce a readable paragraph about offensive competitions. Copy the output and focus on the last sentence (the one mentioning the flag).
Learn more
Without word boundaries (spaces) or punctuation, substitution solving becomes harder because solvers can't use word-shape patterns. They fall back to pure n-gram statistics- scoring candidate plaintexts based on how common each sequence of 2, 3, or 4 consecutive letters is in English. "th", "he", "in" are very common bigrams; "xz" and "qk" are extremely rare.
Despite the added difficulty, modern solvers still handle this well for sufficiently long texts. The paragraph about offensive competitions provides enough English text for statistical patterns to emerge, allowing quipqiup to recover the correct (or near-correct) substitution alphabet. The longer the ciphertext, the more reliable the statistical attack.
A key forensic skill demonstrated here is cross-referencing: using the partially-solved plaintext to bootstrap the full solution. Our Frequency Analysis tool lets you paste the ciphertext and interactively correct the auto-generated mapping. Once most letters are known from the prose section, the remaining mappings for digits and underscores in the flag can be inferred from the established key.
- Step 2Fix the flag charactersSeed your solver with the known-plaintext mapping from
picoCTF{: pre-fill those 7 letter substitutions, then let the solver close out the rest. Underscores and digits pass through unchanged.Learn more
The flag wrapper
picoCTF{...}is a known-plaintext element. You know the plaintext and can read the corresponding ciphertext. This is called a known-plaintext attack (KPA): given pairs of plaintext and ciphertext, recover the key. The prefixpicoCTFmaps directly to the seven cipher characters before the opening brace, revealing seven letter substitutions immediately.Seeding the solver in practice. Suppose the ciphertext ends with
qcuhUIE{N6R4M_4N41Y515}. Pair the letters position by position:plain: p i c o C T F cipher: q c u h U I E Pre-fill the substitution table before solving: q -> p c -> i u -> c h -> o U -> C I -> T E -> F Most solvers (quipqiup, dCode, our Frequency Analysis tool) accept "locked" mappings as input. Lock these seven and the search space collapses from 26! to 19! before the solver even starts.Known-plaintext attacks are powerful in classical cryptography. For monoalphabetic ciphers, knowing even a few plaintext-ciphertext pairs directly reveals portions of the key. The Enigma machine was partly broken this way: German operators began messages with predictable weather reports and protocol headers that gave Allied cryptanalysts at Bletchley Park known plaintext to work with.
Digits and underscores pass through unchanged. Confirm with the body of the flag: ciphertext
N6R4M_4N41Y515decodes toN6R4M_4N41Y515for the non-letters (the digits6, 4, 1, 5and the underscore_are identical on both sides). Only the lettersN, R, M, Yneed to be looked up in the recovered key, which the prose section already pinned down.
Alternate Solution
Use the Frequency Analysis tool on this site to count letter occurrences and guide your substitution mapping - the most frequent ciphertext letter almost always corresponds to E in the plaintext. For a hands-off approach, quipqiup.com auto-solves monoalphabetic ciphers with a dictionary search.
Flag
picoCTF{...}
Classic substitution can be solved in seconds with automated tools, but always verify the final characters.