I'm adding this writeup primarily because so many people were complaining about this challenge. I think this is an example of a challenge that will turn people away from CTFs as it only minimally has to do with crypto and has more to do with guessing what the challenge author wants. This challenge was worth 100 points.


All we are given is a link to This web page has an entry field, and will give an error if you enter too few characters (i think it was 5 or something) and complain that "Your note isn't long enough so it's not security". This would lead you to believe that the solution has something to do with the length of the input string.



In fact, the entire interface has nothing to do with this challenge. It was trivial to determine that it was simply a lookup table on the back end. The letters didn't change their input->output mappings based on position or surroundings. The input was also the same length as the output. Using the printable characters as an input string ("0123456789abcdefghijklmnopqrstuvwxyzABCDEFGHIJKLMNOPQRSTUVWXYZ!"#$%&\'()*+,-./:;<=>?@[\\]^_`{|}~") we can directly look up the dictionary, which only actually translates a-z (regardless of capitalization). The dictionary is as follows:


[('a', 'U'),
 ('b', 'N'),
 ('c', 'H'),
 ('d', 'M'),
 ('e', 'A'),
 ('f', 'Q'),
 ('g', 'W'),
 ('h', 'Z'),
 ('i', 'I'),
 ('j', 'D'),
 ('k', 'Y'),
 ('l', 'P'),
 ('m', 'R'),
 ('n', 'C'),
 ('o', 'J'),
 ('p', 'K'),
 ('q', 'B'),
 ('r', 'G'),
 ('s', 'V'),
 ('t', 'S'),
 ('u', 'L'),
 ('v', 'O'),
 ('w', 'E'),
 ('x', 'T'),
 ('y', 'X'),
 ('z', 'F')]


There were some vague references to "what is Notesy", which if you look it up is an application that just saves notes to dropbox. Bottom line is that the determination of what the lookup table was I believe was done by most teams very quickly. But due to the lack of other information (and misleading errors and statements in the chatroom), people wasted time on a problem that really didn't need any time. Towards the end of the competition hints were dropped, one including a youtube video of Nick Cage saying the alphabet. Sure enough, if you just put the alphabet translation in as a single string, that's the flag.




Note to others creating challenges... Don't do this. Security CTFs are about solving security related challenges, not guessing what the author had intended.