Unshift the Letters: Reversing a ROT13 Flag
O desafio
Cada letra deste flag foi deslocada no alfabeto. As chaves e os sublinhados ficaram no lugar, então o formato ainda parece certo - só as letras estão erradas. Toque no decodificador que as coloca de volta, depois envie o flag.
O que você vai aprender
- Recognise a letter shift by the intact brackets and shifted letters of a flag
- Reverse a ROT13 shift with a single decoder button
- Understand that a fixed letter shift offers no real secrecy
- See that rotating letters needs no key, so anyone can undo it
- Rule out base64 and hex by noticing the string is plain letters in a flag shape
Habilidades testadas
Pré-requisitos
- Knowing the order of the English alphabet
- Comfort reading a short flag of the form NAME{some_text}
Como funciona
ROT13 is a tiny, very old way of scrambling text. It moves every letter 13 places along the alphabet, so A becomes N, B becomes O, and so on, wrapping around at the end. Because the English alphabet has 26 letters and 13 is exactly half of that, doing ROT13 a second time brings every letter right back. That is why the same button both scrambles and unscrambles.
The important thing for security is what ROT13 leaves untouched. Spaces, brackets, underscores, and digits are not letters, so they do not move. That means the overall shape of the text survives. In a flag you can still see the prefix, the braces, and the underscores in their normal spots while only the letters look wrong. That intact structure with shuffled letters is the classic fingerprint of a Caesar-style shift such as ROT13.
ROT13 has no key. The rule is public and fixed, so reversing it needs no password and no permission. That makes it encoding, not encryption. It is fine for hiding a spoiler or lightly obscuring text, but it gives a value no real privacy. The base64 and hex buttons in the lab expect different input shapes and would only mangle a plain letter string, so they are decoys here.
Erros comuns
- Reaching for base64 first. The string is plain letters in a flag shape with no
=padding, so it is not base64. The shifted letters point to ROT13. - Thinking the value is protected. A shift with no key is not a lock. Anyone can reverse ROT13 in one click.
- Shifting twice. Tapping ROT13 again re-scrambles the now-readable flag. Apply it once and stop when the words read normally.
- Submitting the scrambled version. Only the unshifted flag is correct, so decode it before you submit.
Como se proteger
The takeaway for builders is that a letter shift is never a security control. If a value is sensitive, protect it with real encryption that needs a managed secret key, or do not expose it at all. Seeing ROT13 or any fixed shift around a value should be read as "lightly obscured", never as "secured".
- Never use ROT13 or a Caesar shift to hide passwords, tokens, or personal data.
- Use proper encryption with a managed key when data must stay confidential.
- Treat any reversible shift or encoding you find as cosmetic and decode it to check what is underneath.
- When reviewing your own systems, unshift and decode every obscured value to confirm nothing sensitive is one click from plain text.