Unshift the Letters: Reversing a ROT13 Flag

Fondamentaux de la Sécurité Niveau 1/5 ~2 min 2026-07-16

Le défi

Chaque lettre de ce flag a été décalée dans l'alphabet. Les accolades et les tirets bas n'ont pas bougé, donc la forme reste correcte - seules les lettres sont fausses. Cliquez sur le décodeur qui les remet en place, puis soumettez le flag.

Ce que tu vas apprendre

  • Recognise a letter shift by the intact brackets and shifted letters of a flag
  • Reverse a ROT13 shift with a single decoder button
  • Understand that a fixed letter shift offers no real secrecy
  • See that rotating letters needs no key, so anyone can undo it
  • Rule out base64 and hex by noticing the string is plain letters in a flag shape

Compétences testées

ROT13 and Caesar shift recognitionReversing a fixed letter shiftTelling encoding apart from encryption

Prérequis

  • Knowing the order of the English alphabet
  • Comfort reading a short flag of the form NAME{some_text}

Comment ça marche

ROT13 is a tiny, very old way of scrambling text. It moves every letter 13 places along the alphabet, so A becomes N, B becomes O, and so on, wrapping around at the end. Because the English alphabet has 26 letters and 13 is exactly half of that, doing ROT13 a second time brings every letter right back. That is why the same button both scrambles and unscrambles.

The important thing for security is what ROT13 leaves untouched. Spaces, brackets, underscores, and digits are not letters, so they do not move. That means the overall shape of the text survives. In a flag you can still see the prefix, the braces, and the underscores in their normal spots while only the letters look wrong. That intact structure with shuffled letters is the classic fingerprint of a Caesar-style shift such as ROT13.

ROT13 has no key. The rule is public and fixed, so reversing it needs no password and no permission. That makes it encoding, not encryption. It is fine for hiding a spoiler or lightly obscuring text, but it gives a value no real privacy. The base64 and hex buttons in the lab expect different input shapes and would only mangle a plain letter string, so they are decoys here.

Erreurs fréquentes

  • Reaching for base64 first. The string is plain letters in a flag shape with no = padding, so it is not base64. The shifted letters point to ROT13.
  • Thinking the value is protected. A shift with no key is not a lock. Anyone can reverse ROT13 in one click.
  • Shifting twice. Tapping ROT13 again re-scrambles the now-readable flag. Apply it once and stop when the words read normally.
  • Submitting the scrambled version. Only the unshifted flag is correct, so decode it before you submit.

Comment s'en protéger

The takeaway for builders is that a letter shift is never a security control. If a value is sensitive, protect it with real encryption that needs a managed secret key, or do not expose it at all. Seeing ROT13 or any fixed shift around a value should be read as "lightly obscured", never as "secured".

  • Never use ROT13 or a Caesar shift to hide passwords, tokens, or personal data.
  • Use proper encryption with a managed key when data must stay confidential.
  • Treat any reversible shift or encoding you find as cosmetic and decode it to check what is underneath.
  • When reviewing your own systems, unshift and decode every obscured value to confirm nothing sensitive is one click from plain text.

Solution complète

Les membres Pro et Max débloquent la solution complète étape par étape.

Passer Pro

Statistiques de la communauté

95 résolutions
86% taux de réussite
M2F14M3 Premier sang

Hacks du jour associés

16 000+ Hackers 100+ Labs & Cours Gratuit
Commencer Gratuitement