Figure 1: The Challenge description
Figure 2: Inspecting the file type and metadata associated with the download.

The file was downloaded with wget then examined with the file command, revealing it to be a JPEG image file (figure 3).

Figure 3: atbash.jpg image from the challenge

On superficial inspection, the picture shows a conversion wheel for a type of cipher, Atbash. It also points to a website, RoyalOrderoftheHolyMackerel.com. Trying to access the website proved to be unsuccessful.

However, some OSINT on its fandom wiki page [1] revealed the order to be a secret society, dedicated to decoding and protecting the secrets of Gravity Falls, a cartoon series. It even made a cameo in the show itself.

Given that a quick OSINT didn’t indicate the flag to be remotely on other sites, the flag could be instead encrypted and embedded into the local image itself through steganography. A renowned tool to extract stego data from images, when the passphrase is unknown is Stegseek. If the user does not specify a custom wordlist, Stegseek will crack the passphrase using a default wordlist located at /usr/share/wordlists/rockyou.txt.

Figure 4: The steganography of the flag being revealed as a cipher.

Stegseek then reveals that the flag is an encrypted string: krxlXGU{zgyzhs_xizxp_vx4zyz61}. (Figure 4)

The flag seems to be encrypted and the clue is in the picture. Some reading from geeksforgeeks [2] reveals Atbash to be a type of substitution cipher with one key. It works by mapping the letters of an alphabetical language to corresponding letters when the alphabet is reversed. As shown in atbash.jpg, A becomes Z, Z becomes A etc.

To avoid reliance on pre-made tools, I have written a python script, atbash_decypher.py to decrypt the flag, revealing the answer to be: picoctf{atbash_crack_ec4aba61}. (Figure 5)

Figure 5: The flag is decrypted with the script.

An alternative option is to use dcode website’s Atbash Cipher option [3]. This was deployed and it reproduced my answer from the encrypted flag, validating its correctness.


[1] “The Royal Order of the Holy Mackerel,” The Royal Order of the Holy Mackerel Wiki. https://royalorderoftheholymackerel.fandom.com/wiki/The_Royal_Order_of_the_Holy_Mackerel (accessed Mar. 31, 2023).

[2] “Implementing Atbash Cipher,” GeeksforGeeks, Jun. 11, 2017. https://www.geeksforgeeks.org/implementing-atbash-cipher/

[3] “Atbash Cipher – Backwards/Reverse Alphabet – Online Decoder/Translator,” www.dcode.fr. https://www.dcode.fr/atbash-cipher

You Might Also Like

Leave a Reply