🔄 OverTheWire Bandit Level 12: Decoding ROT13 (Caesar Cipher)

Level 12 introduces ROT13—a simple substitution cipher where letters are rotated by 13 positions. ROT13 is a special case of the Caesar cipher, and it's commonly used for obfuscation (though not for real security). Understanding how to decode ROT13 is useful in penetration testing, as you'll encounter it in CTFs, obfuscated code, and encoded messages.

Level 12 teaches you:

• Using rot13 command to decode ROT13 data
• Using tr command as an alternative method
• Understanding ROT13 and Caesar ciphers
• Using pipes to process encoded data
• Extracting passwords from rotated text

This level builds on what you learned about encoding and decoding. ROT13 is another encoding scheme you'll encounter, and knowing how to decode it quickly is a valuable skill.

---

🎯 The Objective

After logging into bandit11, your goal is to find the password for Level 12. The password is in a file called data.txt in your home directory. The file contains text where all lowercase and uppercase letters have been rotated by 13 positions—this is ROT13 encoding.

What Level 12 teaches:

• Using rot13 to decode ROT13 data
• Understanding ROT13 encoding
• Alternative methods using tr command
• Using pipes to process encoded files
• Extracting readable text from rotated data

The challenge: The file contains ROT13 encoded text. You need to decode it to reveal the password. The decoded output will contain a phrase with the password.

---

🔍 Understanding the Problem

Let's start by connecting to Level 11 and seeing what we're dealing with:

sshpass -p `cat bandit11` ssh bandit11@bandit.labs.overthewire.org -p 2220

Once connected, let's check the data.txt file:

cat data.txt

You should see text that looks readable but doesn't make sense—the letters are rotated. For example, "Hello" would appear as "Uryyb" in ROT13.

Example of ROT13 encoded text:

Gur cnffjbeq vf 5Gr8L4qetPEsPk8htqjhRK8XSP6x2RHh

The problem: How do you decode this ROT13 string to reveal the password?

The answer: Use the rot13 command (if available) or the tr command to rotate the letters back by 13 positions.

---

🧠 Understanding ROT13

Let's dive deeper into ROT13, because understanding it helps you recognize it in the wild:

What Is ROT13?

ROT13 (Rotate by 13) is a simple substitution cipher:

• Each letter is shifted 13 positions in the alphabet
• Since there are 26 letters, ROT13 is its own inverse (encoding twice gives you the original)
• Only affects letters (A-Z, a-z); numbers and symbols stay the same

ROT13 mapping:

A → N    a → n
B → O    b → o
C → P    c → p
...
M → Z    m → z
N → A    n → a
O → B    o → b
...
Z → M    z → m

Example:

Original:  Hello World
ROT13:     Uryyb Jbeyq
ROT13 again: Hello World (back to original!)

Why ROT13 Exists

ROT13 is used for:

• Obfuscation — Hiding spoilers, jokes, or answers
• CTF challenges — Common in capture-the-flag competitions
• Simple encoding — Not for security, just obfuscation
• Practice — Learning about ciphers and encoding

Important: ROT13 is not encryption—it's easily reversible. Anyone can decode it. Don't use it for security!

ROT13 vs. Caesar Cipher

ROT13 is a special case of the Caesar cipher:

• Caesar cipher — Shift by any number (1-25)
• ROT13 — Shift by exactly 13 positions
• Why 13? Because 13 is half of 26, making ROT13 its own inverse

---

📋 Step-by-Step Walkthrough

Step 1: Connect to Level 11

sshpass -p `cat bandit11` ssh bandit11@bandit.labs.overthewire.org -p 2220

Step 2: Check the File

Let's see what we're working with:

cat data.txt

You should see ROT13 encoded text. It will look like readable letters, but they won't make sense because they're rotated.

Step 3: Decode the ROT13 Data

There are two main methods to decode ROT13:

Method 1: Using rot13 Command (If Available)

First, check if rot13 is installed:

which rot13

If rot13 is not available, you may need to install bsdgames:

# On Debian/Ubuntu:
sudo apt-get install bsdgames

# On RHEL/CentOS:
sudo yum install bsd-games

Once rot13 is available, decode the file:

cat data.txt | rot13

Breaking this down:

• cat data.txt — Reads the file contents (the ROT13 encoded string)
• | — Pipes the output to the next command
• rot13 — Decodes the ROT13 data

Method 2: Using tr Command (More Common)

The tr command is more commonly available and can also decode ROT13:

cat data.txt | tr 'A-Za-z' 'N-ZA-Mn-za-m'

Breaking this down:

• cat data.txt — Reads the file contents
• | — Pipes the output to the next command
• tr 'A-Za-z' 'N-ZA-Mn-za-m' — Translates characters (maps A-Z to N-ZA-M, a-z to n-za-m)

What this does:

• Maps A→N, B→O, ..., M→Z, N→A, ..., Z→M (uppercase)
• Maps a→n, b→o, ..., m→z, n→a, ..., z→m (lowercase)
• This is exactly ROT13!

What you'll see: The decoded output will be readable text. It might contain a phrase like "The password is [password]" or similar. The password will be in that decoded text.

Example output:

The password is 5Te8Y4drgCRfCx8ugdwuEX8KFC6k2EUu

Step 4: Extract the Password

The decoded output will contain the password. It might be in a phrase like "The password is [password]" or just be the password itself. Copy the password string—that's your password for Level 12.

Step 5: Save the Password

Copy the password and save it:

On Linux/macOS:

echo "PASSWORD_HERE" > bandit12

On Windows (PowerShell):

"PASSWORD_HERE" | Out-File -FilePath bandit12 -NoNewline

Step 6: Connect to Level 12

sshpass -p `cat bandit12` ssh bandit12@bandit.labs.overthewire.org -p 2220

---

💡 Understanding the tr Command

Let's dive deeper into tr, because it's more commonly available than rot13:

What tr Does

The tr command translates or deletes characters:

tr 'SET1' 'SET2'

What it does:

• Reads from stdin
• Translates characters from SET1 to SET2
• Outputs the translated text

ROT13 with tr

For ROT13, we use:

tr 'A-Za-z' 'N-ZA-Mn-za-m'

How it works:

• A-Za-z — All uppercase and lowercase letters (input)
• N-ZA-Mn-za-m — Rotated letters (output)
  • A→N, B→O, ..., M→Z, N→A, ..., Z→M (uppercase)
  • a→n, b→o, ..., m→z, n→a, ..., z→m (lowercase)

Example:

echo "Hello" | tr 'A-Za-z' 'N-ZA-Mn-za-m'
# Output: Uryyb

Why tr Is Useful

The tr command is:

• More common — Usually pre-installed on Linux systems
• More flexible — Can do other translations, not just ROT13
• Standard — Part of coreutils, available everywhere

For Level 12: We can use either rot13 or tr, but tr is more commonly available.

---

🛠️ Alternative Methods

Here are different ways to decode ROT13:

Method 1: Using rot13 Command

cat data.txt | rot13

Pros: Simple, dedicated command for ROT13 Cons: May need to install bsdgames package

Method 2: Using tr Command (Recommended)

cat data.txt | tr 'A-Za-z' 'N-ZA-Mn-za-m'

Pros: More commonly available, no installation needed Cons: Slightly more complex syntax

Method 3: Using Python (If Available)

python3 -c "import codecs; print(codecs.decode(open('data.txt').read(), 'rot13'))"

Pros: Works if Python is available Cons: More complex, requires Python

Method 4: Online Tools (Not Recommended for Learning)

You could use online ROT13 decoders, but:

• Pros: Quick, no command needed
• Cons: Doesn't teach you Linux skills, requires internet, less secure

For Level 12, use Method 1 or 2 — they're both efficient and teach you valuable skills. Method 2 (tr) is recommended because it's more commonly available.

---

🔒 Real-World Context

Why does this matter in penetration testing?

In real security assessments, you'll encounter ROT13 and similar ciphers:

1. CTF Challenges

Capture-the-flag competitions often use ROT13 for:

• Obfuscated flags
• Hidden messages
• Encoding challenges
• Learning exercises

Example: Decoding ROT13 in CTF challenges:

cat flag.txt | tr 'A-Za-z' 'N-ZA-Mn-za-m'

2. Obfuscated Code

Developers sometimes use ROT13 to obfuscate:

• String literals
• Variable names
• Comments
• Error messages

Example: Finding ROT13 in source code:

grep -r "ROT13\|rot13" /path/to/code

3. Malware Analysis

Malware might use ROT13 to:

• Hide strings
• Obfuscate C2 communications
• Encode data
• Evade detection

Example: Decoding ROT13 in malware:

strings malware.exe | tr 'A-Za-z' 'N-ZA-Mn-za-m'

4. Web Application Analysis

Web applications might use ROT13 for:

• Obfuscated JavaScript
• Hidden form values
• Encoded parameters
• Client-side encoding

Example: Decoding ROT13 in web apps:

echo "encoded_string" | tr 'A-Za-z' 'N-ZA-Mn-za-m'

5. Log File Analysis

Log files might contain ROT13 encoded:

• User input
• Error messages
• Debug information
• Sensitive data

Example: Decoding ROT13 in logs:

grep "ROT13" logfile.txt | cut -d: -f2 | tr 'A-Za-z' 'N-ZA-Mn-za-m'

6. Configuration Files

Configuration files might contain ROT13 encoded:

• Passwords
• API keys
• Connection strings
• Sensitive settings

Example: Finding and decoding ROT13 in configs:

grep -r "ROT13" /etc/ | cut -d: -f2 | tr 'A-Za-z' 'N-ZA-Mn-za-m'

The skill you're learning: How to decode ROT13 encoded data. This is essential when:

• Solving CTF challenges
• Analyzing obfuscated code
• Examining malware
• Working with web applications
• Processing log files
• Extracting encoded credentials or data

---

🚨 Common Mistakes

Mistake 1: Wrong tr Mapping

Wrong:

cat data.txt | tr 'A-Z' 'N-Z'
# Only handles uppercase, misses lowercase!

Right:

cat data.txt | tr 'A-Za-z' 'N-ZA-Mn-za-m'
# Handles both uppercase and lowercase

Why: You need to map both uppercase (A-Z) and lowercase (a-z) letters. The mapping must include both.

Mistake 2: Wrong Rotation Direction

Wrong:

cat data.txt | tr 'A-Za-z' 'M-ZA-Lm-za-l'
# Rotates by 12 instead of 13!

Right:

cat data.txt | tr 'A-Za-z' 'N-ZA-Mn-za-m'
# Correct ROT13 mapping

Why: ROT13 rotates by exactly 13 positions. The mapping N-ZA-M means:

• A→N (13 positions forward)
• N→A (13 positions forward, wraps around)
• This is correct for ROT13

Mistake 3: Not Understanding ROT13 Is Reversible

Confusion: "Do I encode or decode?"

Clarification:

• ROT13 is its own inverse
• Encoding and decoding are the same operation
• Running ROT13 twice gives you the original text
• For Level 12, we "decode" (rotate) to get readable text

Example:

echo "Hello" | tr 'A-Za-z' 'N-ZA-Mn-za-m'
# Output: Uryyb

echo "Uryyb" | tr 'A-Za-z' 'N-ZA-Mn-za-m'
# Output: Hello (back to original!)

Mistake 4: Using Wrong Command

Wrong:

cat data.txt | base64 -d
# Wrong! This is for base64, not ROT13

Right:

cat data.txt | tr 'A-Za-z' 'N-ZA-Mn-za-m'
# Correct for ROT13

Why: Different encoding schemes need different commands. ROT13 needs rot13 or tr, not base64.

Mistake 5: Not Recognizing ROT13 Format

Confusion: "How do I know if something is ROT13?"

Clarification: ROT13 text:

• Looks like readable letters but doesn't make sense
• Only affects letters (A-Z, a-z)
• Numbers and symbols stay the same
• Common in CTFs and obfuscated code

Example ROT13 patterns:

Gur cnffjbeq vf 5Gr8L4qetPEsPk8htqjhRK8XSP6x2RHh
(Decoded: The password is 5Te8Y4drgCRfCx8ugdwuEX8KFC6k2EUu)

Notice: The numbers (5, 8, 4, etc.) stay the same—only letters are rotated.

---

💻 Practice Exercise

Try these to reinforce what you learned:

1. Encode text to ROT13:

   echo "Hello World" | tr 'A-Za-z' 'N-ZA-Mn-za-m'
   # Output: Uryyb Jbeyq
   

2. Decode ROT13 back:

   echo "Uryyb Jbeyq" | tr 'A-Za-z' 'N-ZA-Mn-za-m'
   # Output: Hello World
   

3. Decode a file:

   echo "Gur cnffjbeq vf test123" > test.rot13
   cat test.rot13 | tr 'A-Za-z' 'N-ZA-Mn-za-m'
   # Output: The password is test123
   

4. Encode and decode:

   echo "password123" | tr 'A-Za-z' 'N-ZA-Mn-za-m' | tr 'A-Za-z' 'N-ZA-Mn-za-m'
   # Should output: password123 (back to original!)
   

5. Clean up:

   rm test.rot13
   

---

🎓 Understanding Caesar Ciphers

This is a good time to understand Caesar ciphers in general:

What Is a Caesar Cipher?

A Caesar cipher shifts letters by a fixed number:

• ROT1 — Shift by 1 (A→B, B→C, ..., Z→A)
• ROT13 — Shift by 13 (A→N, B→O, ..., Z→M)
• ROT25 — Shift by 25 (A→Z, B→A, ..., Z→Y)

Why ROT13 Is Special

ROT13 is special because:

• 13 is half of 26 — Makes it its own inverse
• Easy to decode — Same operation as encoding
• Common — Most frequently used rotation

Other Rotations

You can use tr for other rotations too:

ROT1:

tr 'A-Za-z' 'B-ZAb-za'

ROT25:

tr 'A-Za-z' 'Z-AY-za-y'

For Level 12: We use ROT13, which is the most common.

---

🔗 What's Next?

Level 13 introduces hexadecimal file dumps—another common encoding scheme. You'll learn to work with hex dumps using xxd or hexdump, which is essential for binary file analysis.

Before moving on, make sure you:

• ✅ Successfully decoded ROT13 data using tr or rot13
• ✅ Understand how ROT13 works (rotate by 13 positions)
• ✅ Know that ROT13 is its own inverse
• ✅ Can recognize ROT13 encoded text
• ✅ Understand the difference between ROT13 and other encodings

---

📚 Key Takeaways

After completing Level 12, you should understand:

1. ROT13 encoding — A simple substitution cipher that rotates letters by 13 positions
2. rot13 command — Dedicated command for ROT13 (may need installation)
3. tr command — More common alternative using character translation
4. ROT13 is reversible — Encoding and decoding are the same operation
5. Not encryption — ROT13 is obfuscation, not security (easily reversible)

---

🎯 Quick Reference

Problem	Solution	Example
Decode ROT13	Use tr	cat file | tr 'A-Za-z' 'N-ZA-Mn-za-m'
Decode ROT13	Use rot13	cat file | rot13
Encode ROT13	Same as decode	echo "text" | tr 'A-Za-z' 'N-ZA-Mn-za-m'
Recognize ROT13	Look for rotated letters	Letters rotated, numbers unchanged
Install rot13	Install bsdgames	sudo apt-get install bsdgames

---

Questions about Level 12 or ROT13 encoding/decoding? Reach out directly:

• Email: m1k3@msquarellc.net
• Phone: (559) 670-3159
• Schedule: Book a free consultation

---

M Square LLC
Cybersecurity | Penetration Testing | No-Nonsense Advice