Two-Layer Classic: Base32 and the Atbash Cipher

Cryptographie Niveau 2/5 ~3 min 2026-06-30

Le défi

Cette chaîne n'utilise que les lettres A-Z et les chiffres 2-7 - signe révélateur d'un encodage précis. Retirez cette couche, puis remarquez que le résultat est un chiffre par lettres connu. Utilisez les boutons de décodage pour récupérer le flag (HDNA{...}) et soumettez-le.

Ce que tu vas apprendre

  • Recognise base32 by its restricted A-Z 2-7 alphabet and = padding
  • Identify the Atbash cipher from its mirror-alphabet pattern
  • Peel a two-layer encoding/cipher chain in the correct order
  • Dismiss decoy transforms whose input format does not match

Compétences testées

base32 recognitionAtbash decodingLayer fingerprinting

Prérequis

  • Familiarity with base64 vs base32
  • Awareness of substitution ciphers

Comment ça marche

Recognising an encoding by sight is one of the fastest skills in CTF and triage work. Different schemes leave different fingerprints. base64 uses A-Z, a-z, 0-9, plus + and /. base32 is narrower: only uppercase A-Z and the digits 2-7, frequently with = padding. When you see a string in only that alphabet, base32 is almost always the answer.

Decode the base32 here and you do not get plaintext - you get text where the structure is right but the letters are wrong, each one swapped for its mirror in the alphabet. That mirror pattern (A becomes Z, B becomes Y, and so on) is the Atbash cipher, one of the oldest substitution ciphers. Atbash is its own inverse, so applying it again undoes it.

The decoder lab lets you stack transforms by tapping buttons, each applied to the previous result. Tap base32, then atbash, and the flag falls out. The lab also offers binary, decimal, and morse decoders - useful in other challenges, but here they are decoys whose input shapes (1s and 0s, space-separated numbers, dots and dashes) clearly do not match the data in front of you.

Erreurs fréquentes

  • Mistaking base32 for base64. The give-away is the alphabet: no lowercase and no +// means base32, not base64.
  • Stopping after one layer. The base32 output is still scrambled; recognise the mirrored letters as Atbash and peel again.
  • Trying decoy decoders. Binary, decimal, and morse expect very different input; check the character set before tapping.
  • Applying Atbash twice. Atbash is self-inverse, so a second tap re-scrambles it.

Comment s'en protéger

Classic ciphers and encodings provide zero confidentiality - they are puzzles, not protection. The defensive lesson is the same as always: if data must be secret, encrypt it properly; if you find data behind base32/Atbash/ROT in your own systems, treat it as plaintext.

  • Learn the common fingerprints (base32, base64, hex, Atbash, ROT) to triage encoded data quickly.
  • Never use a classic cipher to protect anything real.
  • When reviewing your systems, decode encoded values to confirm nothing sensitive hides one tap from plaintext.

Solution complète

Les membres Pro et Max débloquent la solution complète étape par étape.

Passer Pro

Statistiques de la communauté

55 résolutions
76% taux de réussite
M2F14M3 Premier sang

Go deeper

Hacks du jour associés

14 000+ Hackers 100+ Labs & Cours Gratuit
Commencer Gratuitement