 Hey guys, John Hammond here back with more of the Pico CTF trying to get into the getting started beginners level stuff for capture the flag. So we finished up the reverse engineering category and now we can move into something else. Let's try the cryptography section. This challenge is called substitute for 40 points. It says a wizard. He seemed kind of on handed me this. Can you figure out what it says? OK, looks like a lot of random text. Practically gibberish here. So what do we do with this? Let's check out the hints just to see. There are a lot of tools that make this easy. OK, so I, as someone that's kind of been doing this for a little bit, kind of know I want to go straight to Quipquip. And if you have never seen that tool before, that's OK. Quipquip.com, Q-U-I-P, Q-I-U-P. And that will try and solve and crack simple substitution ciphers. And that's what I'm going to assume this is with the challenge title being substitute. And the text all being seemingly English characters with all capitalization, a little bit of punctuation. But yeah, there are no special characters in here. There aren't any numbers. This is just text. So I can assume it's a substitution cipher. Let's plop it in here. You can hit solve. And then if you wanted to, you can supply clues for it to determine like, OK, I know these substitutions aren't intact, but otherwise it figures it out just fine. It takes a little bit of time to get the correct one for this serious amount of text. But if you wanted to look more to substitution ciphers, you certainly could. Again, Wikipedia is your friend, but it will just map one letter in the alphabet to another letter in the alphabet. Not like a Caesar cipher would with Rot13 or anything, but instead a random letter. It doesn't matter which one, but we can give it a certain ciphertext or a notion that a key of letters that we want them to be mapped to. So we have here the flag is if only modern crypto was like this. So let's take that and save it. Just to put it in here, make directory substitution, flag dot text, save it again just for good CTF hygiene. We can submit that if we really want to get that point on the scoreboard. Perfect. Up 40 points. Not too hard. That was a good introductory challenge for substitution ciphers. And if you haven't seen QuipQuip before, definitely add that to your toolkit. I was a little bummed because I struggled that I don't have a good utility or I don't know of one yet that will solve these substitution ciphers without having this online resource of QuipQuip. So I tried to Google a little bit ago like Python substitution cipher, not spelling anything correctly, whatever. I think I tried like Python QuipQuip. Wow, I did not spell any of that correctly. And I found this GitHub repository, Rallop substitute breaker. And it looks like it says break substitute cipher using QuipQuip for CTFs and competitions. I didn't know if this was using just the same algorithm as QuipQuip, but I took a look at it and it looks like it is literally just making a call to an online API like this, whatever Amazon AWS notion. So what I did is I downloaded this and I'm going to put it in our substitution complete thing called break. You can save this here and let's take this original string so we can mess it in Python. Cool. So zoom out. I have my Patreon supporters listed over there. So I can probably just put this in a regular string. It doesn't need to be that triple quote. But if you haven't used Python before, I don't want you to be too scared of this way. I am just going to be, oh, is there another single quote in there? Okay. So let's do the triple quote because there may be other, I saw sublime text was highlighting the very end of that string. So there may be another double quote or single quote in there. So I wouldn't be able to use those as options. So let's just say like cipher text can be equal to that setting a variable in Python. And then we can pass that along to what we're trying to run here cipher text. That's going to run as an argument to the decode substitution cipher. Decode substitute function that looks like it's just going to use the request module, which if you don't have installed, you can pip install, but I use it a bit before. If you don't want to just go ahead in this endeavor. That's totally cool. I just want to showcase it and it will just go ahead and post this and use JSON to work with the data. This will actually return a string of JSON. So what I want to do is like turn that back into a regular JSON object. And I'm going to use like P print to actually make it look pretty good for us and actually legible and easy to read. So let's pass that to P print instead of regular print. So it's pretty cool. CDM to substitute. Let's make that script executable break. And I need to be using environment in Python because that may not be the actual path. Oh, and this is with a not expected return character in the Vivre line. So let's run DOS to Unix, which if you haven't seen before is a neat utility to kind of remove all those carriage returns at the end of the line. And then you should be able to run things. Okay, so this is going to take a little bit of time, but it is querying quip quip. It'll take about the same amount of time that it did originally and I can check out just the top result here. If the flag is if only modern crypto was like this slick, it does it does get that result and you can see it as a dictionary object and solutions. And if you wanted to, you could just parse through that if you knew a little bit more Python, but I thought that'd be cool to kind of showcase this and have a command line tool. Kind of obviously this still needs internet to be able to pull out and use that quip quip functionality. But if you ever wanted to script multiple things like this, this gives you a little bit more usage than clicking around with your mouse on a web browser. You know what I mean? All right, sweet. Let's get back to shouting out the people that I love because they support me. Thank you so much for being able to do this. This list is getting longer, so I'm not going to run through names, but I'm grateful for each and every one of you and all that you do to help grow the channel. $1 a month on Patreon will give you a special shout out the end of every video just like this $5 a month. It'll give you early access to all the content I create put online. And if you really like this video, please do click that like button. Maybe leave me a comment, maybe subscribe. And if you're willing to check me out on Patreon. Thanks, guys.