Dear Alice, It has been many moons since we last managed to talk in plain English. Hopefully my messenger has delivered to you this letter in-person, else assume we are compromised. Last week I was glad to receive your latest letter, and to see that your "multi Czar" code is coming along nicely. So far I have been unable to decipher it, which bodes well for the security of our future messages - but does feel a little frustrating. Rather ingenious, although I do fear it is vulnerable in some way I can't quite elucidate yet.
đ Given Files
challenge.py
out.txt
đĄ Walkthough
Inspect challenge.py to understand the encryption routine (alphabet, key generation, how bytes/letters are combined).
Inspect out.txt: it contains many ciphertext lines, all in the format 07CTF{...}. Note: the braces and flag wrapper are literal; the inner token is the encrypted payload.
Notice the encryption uses a random per-message key drawn only from letters 'b'..'z' (i.e. key letters are never 'a', so shift â {1..25}). This means each encryption is a modular add (plaintext + key) mod 26 per character â effectively a Vigenère/poly-alphabetic Caesar with non-zero shifts.
Because all outputs are the same plaintext encrypted with different random keys but keys never include shift 0, for each character-position (column) across all ciphertexts every letter except the true plaintext letter can appear. Thus the true plaintext letter for a position is the one letter missing from that column across the many ciphertext lines.
Recover the plaintext interior by: parse all inner cipher strings, transpose characters per position, compute the missing letter in each column, and join to get the recovered (but still Caesar-shifted) message.
The recovered message reads as an English-like phrase but appears Caesar-shifted. Try small Caesar shifts; shifting by â12 yields a readable English sentence.
Format final answer as the required flag:Â 07CTF{...}.
Exploitation
The Python code used to recover the flag:
reads out.txt,
extracts the inner ciphertext between { and } for every line,
transposes the list of strings to get columns,
for each column finds the missing letter from a..z,
joins them to form the recovered string,
then tries Caesar shifts and prints the human-readable candidate. Finally it prints the flag wrapped in 07CTF{}.
from string import ascii_lowercase
from collections import Counter
def caesar(s, shift):
out = []
for ch in s:
if ch.isalpha():
# assume lowercase
idx = ascii_lowercase.index(ch)
out.append(ascii_lowercase[(idx + shift) % 26])
else:
out.append(ch)
return ''.join(out)
# Read out.txt and collect the inner ciphertexts
lines = []
with open('out.txt', 'r') as f:
for L in f:
L = L.strip()
if not L:
continue
# expect format 07CTF{<cipher>}
if '{' in L and '}' in L:
inner = L.split('{',1)[1].rsplit('}',1)[0]
lines.append(inner)
# Sanity
n = len(lines)
print(f"Collected {n} ciphertext lines.")
if n == 0:
raise SystemExit("no ciphertexts found")
# Ensure all inner strings have same length
lengths = set(len(x) for x in lines)
if len(lengths) != 1:
print("Warning: varying lengths:", lengths)
L = len(lines[0])
print("Ciphertext inner length:", L)
# Transpose and find missing letter in each column
plaintext_chars = []
for i in range(L):
col = [s[i] for s in lines]
present = set(col)
missing = [c for c in ascii_lowercase if c not in present]
if len(missing) == 1:
plaintext_chars.append(missing[0])
else:
# If more than one missing (unlikely with many samples) or zero, choose best guess
# Here we choose the first missing as fallback
plaintext_chars.append(missing[0] if missing else '?')
print(f"Position {i}: ambiguous or no missing letters, missing={missing}")
recovered = ''.join(plaintext_chars)
print("Recovered (pre-Caesar) :", recovered)
# Try all Caesar shifts to find readable English
for shift in range(26):
candidate = caesar(recovered, shift)
# Heuristic: print shifts that produce vowels and words (manual check)
if 'the' in candidate or 'enigma' in candidate or 'thought' in candidate or candidate.count(' ')>0:
print(f"shift {shift:2d}: {candidate}")
else:
# print a few likely shifts for manual inspection:
if shift in (0,12,14,20):
print(f"shift {shift:2d}: {candidate}")
# Based on inspection shift = -12 (or +14) produced readable English:
flag_inner = caesar(recovered, -12) # undoing a +12 cipher
flag = f"07CTF{{{flag_inner}}}"
print("\nFLAG:", flag)
challenge.py encrypts the same plaintext many times with independently random keys chosen from 'b'..'z' (i.e. shifts 1..25).
Because the key never uses 'a' (shift 0), for a fixed plaintext position the ciphertext will never equal the plaintext letter.
Across enough independent encryptions with uniformly random non-zero shifts, every other letter at that position will almost surely appear at least once. So the only letter that never appears in that column is the original plaintext letter. Collecting the unique missing letter per column reconstructs the original plaintext (possibly still Caesar-shifted). The phrase then required a single Caesar rotation (the âCzarâ hint) to recover proper English.
