Two-Layer Classic: Base32 and the Atbash Cipher
O desafio
Esta string usa só as letras A-Z e os dígitos 2-7 - sinal claro de uma codificação específica. Remova essa camada, depois note que o resultado é uma cifra de letras conhecida. Use os botões de decodificação para recuperar o flag (HDNA{...}) e envie.
O que você vai aprender
- Recognise base32 by its restricted A-Z 2-7 alphabet and = padding
- Identify the Atbash cipher from its mirror-alphabet pattern
- Peel a two-layer encoding/cipher chain in the correct order
- Dismiss decoy transforms whose input format does not match
Habilidades testadas
Pré-requisitos
- Familiarity with base64 vs base32
- Awareness of substitution ciphers
Como funciona
Recognising an encoding by sight is one of the fastest skills in CTF and triage work. Different schemes leave different fingerprints. base64 uses A-Z, a-z, 0-9, plus + and /. base32 is narrower: only uppercase A-Z and the digits 2-7, frequently with = padding. When you see a string in only that alphabet, base32 is almost always the answer.
Decode the base32 here and you do not get plaintext - you get text where the structure is right but the letters are wrong, each one swapped for its mirror in the alphabet. That mirror pattern (A becomes Z, B becomes Y, and so on) is the Atbash cipher, one of the oldest substitution ciphers. Atbash is its own inverse, so applying it again undoes it.
The decoder lab lets you stack transforms by tapping buttons, each applied to the previous result. Tap base32, then atbash, and the flag falls out. The lab also offers binary, decimal, and morse decoders - useful in other challenges, but here they are decoys whose input shapes (1s and 0s, space-separated numbers, dots and dashes) clearly do not match the data in front of you.
Erros comuns
- Mistaking base32 for base64. The give-away is the alphabet: no lowercase and no
+//means base32, not base64. - Stopping after one layer. The base32 output is still scrambled; recognise the mirrored letters as Atbash and peel again.
- Trying decoy decoders. Binary, decimal, and morse expect very different input; check the character set before tapping.
- Applying Atbash twice. Atbash is self-inverse, so a second tap re-scrambles it.
Como se proteger
Classic ciphers and encodings provide zero confidentiality - they are puzzles, not protection. The defensive lesson is the same as always: if data must be secret, encrypt it properly; if you find data behind base32/Atbash/ROT in your own systems, treat it as plaintext.
- Learn the common fingerprints (base32, base64, hex, Atbash, ROT) to triage encoded data quickly.
- Never use a classic cipher to protect anything real.
- When reviewing your systems, decode encoded values to confirm nothing sensitive hides one tap from plaintext.