Two-Layer Classic: Base32 and the Atbash Cipher

Criptografia Nível 2/5 ~3 min 2026-06-30

O desafio

Esta string usa só as letras A-Z e os dígitos 2-7 - sinal claro de uma codificação específica. Remova essa camada, depois note que o resultado é uma cifra de letras conhecida. Use os botões de decodificação para recuperar o flag (HDNA{...}) e envie.

O que você vai aprender

  • Recognise base32 by its restricted A-Z 2-7 alphabet and = padding
  • Identify the Atbash cipher from its mirror-alphabet pattern
  • Peel a two-layer encoding/cipher chain in the correct order
  • Dismiss decoy transforms whose input format does not match

Habilidades testadas

base32 recognitionAtbash decodingLayer fingerprinting

Pré-requisitos

  • Familiarity with base64 vs base32
  • Awareness of substitution ciphers

Como funciona

Recognising an encoding by sight is one of the fastest skills in CTF and triage work. Different schemes leave different fingerprints. base64 uses A-Z, a-z, 0-9, plus + and /. base32 is narrower: only uppercase A-Z and the digits 2-7, frequently with = padding. When you see a string in only that alphabet, base32 is almost always the answer.

Decode the base32 here and you do not get plaintext - you get text where the structure is right but the letters are wrong, each one swapped for its mirror in the alphabet. That mirror pattern (A becomes Z, B becomes Y, and so on) is the Atbash cipher, one of the oldest substitution ciphers. Atbash is its own inverse, so applying it again undoes it.

The decoder lab lets you stack transforms by tapping buttons, each applied to the previous result. Tap base32, then atbash, and the flag falls out. The lab also offers binary, decimal, and morse decoders - useful in other challenges, but here they are decoys whose input shapes (1s and 0s, space-separated numbers, dots and dashes) clearly do not match the data in front of you.

Erros comuns

  • Mistaking base32 for base64. The give-away is the alphabet: no lowercase and no +// means base32, not base64.
  • Stopping after one layer. The base32 output is still scrambled; recognise the mirrored letters as Atbash and peel again.
  • Trying decoy decoders. Binary, decimal, and morse expect very different input; check the character set before tapping.
  • Applying Atbash twice. Atbash is self-inverse, so a second tap re-scrambles it.

Como se proteger

Classic ciphers and encodings provide zero confidentiality - they are puzzles, not protection. The defensive lesson is the same as always: if data must be secret, encrypt it properly; if you find data behind base32/Atbash/ROT in your own systems, treat it as plaintext.

  • Learn the common fingerprints (base32, base64, hex, Atbash, ROT) to triage encoded data quickly.
  • Never use a classic cipher to protect anything real.
  • When reviewing your systems, decode encoded values to confirm nothing sensitive hides one tap from plaintext.

Solução completa

Membros Pro e Max desbloqueiam o passo a passo completo.

Assinar Pro

Estatísticas da comunidade

55 resoluções
76% taxa de sucesso
M2F14M3 Primeiro sangue

Go deeper

Hacks de hoje relacionados

14.000+ Hackers 100+ Labs & Cursos Grátis
Comece Grátis