Description
A single text file contains an encrypted string; the challenge name hints at a Caesar/ROT-style cipher. Discover the shift that restores the flag.
Read the provided ciphertext (e.g., xqkwKBN{...}).
Use CyberChef or a local script to apply different ROT shifts until the plaintext forms picoCTF{...}.
wget https://artifacts.picoctf.net/c/354/encrypted.txt && cat encrypted.txtpython3 - <<'PY'
from string import ascii_lowercase
cipher="xqkwKBN{z0bib1wv_l3kzgxb3l_7l140864}"
for shift in range(26):
plain=[]
for ch in cipher:
if 'a' <= ch <= 'z':
plain.append(chr((ord(ch)-97-shift)%26+97))
elif 'A' <= ch <= 'Z':
plain.append(chr((ord(ch)-65-shift)%26+65))
else:
plain.append(ch)
print(shift, ''.join(plain))
PYSolution
picoCTF.- Step 1Test rotationsShift the alphabet forward/backward until the output reads picoCTF. A shift of 18 decodes the message.
Learn more
The Caesar cipher (also called a rotation or ROT cipher) shifts every letter in the plaintext by a fixed number of positions in the alphabet, wrapping around from Z back to A. For example, ROT-13 (shift 13) is special because it is its own inverse: applying it twice returns the original. ROT-18 shifts each letter 18 positions forward; decryption shifts 18 backward (or equivalently, 8 forward since 18 + 8 = 26).
Because there are only 25 non-trivial shifts (shift 0 is no change), brute-forcing all possibilities is trivial - a task a human can do in under a minute by scanning a printed table, or a script can do in microseconds. This is why the Caesar cipher provides zero real security: its keyspace is exhausted instantly. Any scheme with a keyspace smaller than 2^80 or so is considered broken by modern standards.
The key recognition trick: if you see a flag-format string like
xqkwKBN{...}where the braces and digits are preserved, you immediately know it is a simple substitution cipher applied to letters only. The fixed structure ofpicoCTF{...}is actually a crib (known plaintext fragment) that makes finding the correct shift mechanical - just find the shift wherex→pandq→iandk→call match. - Step 2Record the decoded flagOnce the plaintext appears, copy the picoCTF string and submit it.
Learn more
The Python script tests all 26 possible shifts and prints each result. At shift 18, the output will begin with
picoCTF, making it immediately recognizable. This exhaustive search approach - trying every possibility when the search space is small - is called a brute-force attack and is entirely appropriate when the keyspace is only 25 possibilities.A faster approach for letter-only ciphers is frequency analysis: in English, the most common letters are E, T, A, O, I, N. By finding the most frequent letter in the ciphertext and assuming it corresponds to E, you can estimate the shift without trying all options. This technique breaks all monoalphabetic substitution ciphers (not just Caesar) given enough ciphertext, and was the primary attack on classical ciphers for centuries before modern cryptography.
For CTF crypto challenges, CyberChef's ROT cipher tool with "Try all rotations" is the fastest solution path. For scripting, the Python
codecsmodule providescodecs.encode(text, 'rot_13')for ROT-13 specifically; other shifts require the manual modular arithmetic shown in the setup script.
Related guides
Base64, Hex, and Common CTF Encodings Explained
Covers ROT13, Caesar ciphers, brute-forcing all 26 shifts in Python, and every other encoding format you will encounter across CTF challenges.
Flag
picoCTF{r0tat1o...d140864}
Any Caesar/ROT decoder works; the correct offset is 18.