write-up of ‘s3cret_m3$age’ from EG-CERT CTF Competition.

Hello folks, I hope you are okay!

Here is my write-up of ‘s3cret_m3$age’ from EG-CERT CTF Competition.

I opened the challenge and it says there is a historical message and I should decrypt it to read the flag so, I downloaded the photo and it was something weird to me!

I didn’t know how to search about this cipher  then I guessed that this is a historical cipher because it contain a historical message so, I tried to search about all types of historical ciphers and their algorithms and I found this link https://interestingengineering.com/11-cryptographic-methods-that-marked-history-from-the-caesar-cipher-to-enigma-code-and-beyond

And I found the cipher, it’s called PigPen cipher then I searched for pigpen decoder and I found https://www.dcode.fr/pigpen-cipher so i decrypted the cipher text and the there were 7 different results

I copied the 7 results and organized them and I analyzed them and I guessed that they are encrypted again with another cipher

and I though it maybe a Ceaser cipher so I used https://www.dcode.fr/caesar-cipher to brute-force every result from the 7 result and every result produced 25 result from Ceaser cipher so I took much time to analysis the whole results and when I decrypted the cipher number 7 [ SGJT JT B NFTTBHF EQPN QBNFTTFT JJ SGF EKBH JT: OJHOFM_BTTBTTJMT_DQFFC_JT_ETMMV ] from pigpen with Ceaser decoder I found a closer readable format [ RFIS IS A MESSAGE DPOM PAMESSES II RFE DJAG IS: NIGNEL_ASSASSILS_CPEEB_IS_DSLLU ]

And here is the hard part, I took almost 1 hour to analyze the output and relate every part of the message with the other and here are the steps that I take:

  • I noticed that the [DPOM] can turned to [FROM] so I turned every ‘D’ in the cipher text with ‘F’ and every ‘P’ with ‘R’ and the first result was
    [ RFIS IS A MESSAGE FROM RAMESSES II RFE DJAG IS: NIGNEL_ASSASSILS_CREED_IS_FSLLU ]
  • I found that not all characters can be changed so the fixed characters was [messagei] and I found name of ‘RAMESSES II’ and ‘ASSASINS_CREED’ so I turned all ‘l’ characters to ‘n’ and I searched about any messages relate assassins creed with Ramesses II and I didn’t found anything so I continued analyzing the rest of the cipher and the second result was
    [ RFIS IS A MESSAGE FROM RAMESSES II RFE DJAG IS: NIGNEN_ASSASSINS_CREED_IS_FSNNU ]
  • Then I noticed that the we can change the character to its original value by adding 2 to it so the third result was
    [ THIS IS A MESSAGE FROM RAMESSES II THE FLAG IS: PIGPEN_ASSASSINS_CREED_IS_FUNNW ]
  • I submit this flag EGCTF{pigpen_assassins_creed_is_funnw} but it was wrong and I though the wrong was the in the last 5 characters so I tried this flag EGCTF{pigpen_assassins_creed_is_funnw} and it was wrong too
  • I took 25 minutes to think about suitable word consist of 5 characters and my brain gives me error 403! and I said this is not fu**ing funny and I repeated funny! .. it can be funny! So I submitted this flag  EGCTF{pigpen_assassins_creed_is_funny} and finally it was accepted!

Thank you for your time and I’m waiting for your feedback ..
stay tuned for another write-ups

You can find me on Facebook, Twitter.

Leave a comment

Start a Blog at WordPress.com.

Up ↑

Design a site like this with WordPress.com
Get started