RACTF 2020 Crypto - 03

 

03

We are now provided with another cipher, and like 02 and 01, we dont know what cipher is it.

GTHTI UHWSE ESLDL MUSDO RIROA
SRGER TAETL VSSAT OAONT EGESN
EOTNT GWPWI AFLAE OAIYA EAWTT
SMENO LTOTO AIASH RKLIC EEEYO
ESSUR NDBTA TNOES CMORI CEEIW
GDECO HSGEN UISIY EAERE YBEHT
LSRLN ADFHR SNTRM SUACU TTNRH
EWDHA EEIIO RHEND PFOLT TGHSC
DULWT NSNEO IHREG EWDEU IUEMC
APIOI VORFT USTGP OOAOE HEOER
BOEPB DHOBA BEATT ENESE WTBTK
KEIED ICTIR EPOTE LLENO EEPIO
IAAMC ONONY OEHEN ESIMT LFEIV
CEHOR AHSET ETENL EHAPS TRRWE
ISAVR HVGTL BPERI TOKER AIIPO
HNIIC ONIAP BSMMF HAYST UDLYM
NONPA REBTH MLOEH NRTEU ITOCY
GSSIE VOEMR ODTEI IEENI CUOFS
WFUMS TAHSP PCILD OOYUE ENBCE
IAEVO TAEGK FSEAH DLCLE PNTIC
CNPEE TNOLL AITME EOTCH RMRIT
ANANH LWTOU EOECA AHUTO BTRSA
UC

The first thing you should probably try while working with simple ciphers is calculating the index of coincidence, for the given ciphertext it turns out to be 0.06618, pretty close to that of English plaintext at 0.0667. A low IC(around or lower than 0.04) indicates a flatter probability distribution(that is, random text), while a high IC(around or higher than 0.06) indicates either a transposition cipher or a monoalphabetic substitution cipher. The next thing which you can try to be sure is checking letter frequency.

Heading to frequency analysis section of dcode.fr |Letter|Count|Percentage| |:–:|:–:|:–:| |E| 80×|14.49%| |T| 50×|9.06%| |O| 48×|8.7% | |I| 40×|7.25%| |A| 39×|7.07%| |S| 34×|6.16%| |N| 31×|5.62%| |R| 29×|5.25%| |H| 27×|4.89%| |L| 23×|4.17%| |C| 21×|3.8% | |U| 18×|3.26%| |P| 16×|2.9% | |D| 15×|2.72%| |M| 15×|2.72%| |G| 12×|2.17%| |W| 12×|2.17%| |B| 12×|2.17%| |F| 9× |1.63%| |Y| 9× |1.63%| |V| 7× |1.27%| |K| 5× |0.91%|

Comparing the above distribution, one could easily tell that no substitution is involved (hopefully), which means the given thing would be transposition cipher.

Thinking of various transposition ciphers, the first one which comes in mind railfence cipher. Once again, I am asking for help from dcode.fr, and it does help (with removed punctuations and spaces option) to give out plaintext

AGENTGREATWORKWITHTHEFIRSTMESSAGEINEVERWOULDHAVETHOUGHTITWOULDBEASIMPLECAESARCIPHERITLOOKSLIKEEVIL
CORPAREDEFINITELYUPTOSOMETHINGSUSPICIOUSROCCOANDDONNIEBOTHAPPEARTOBESENIORMEMBERSOFTHECOMPANYBOARD
SOTHISCOULDBEREALLYBIGWEMANAGEDTOINTERCEPTANOTHERMESSAGEBETWEENTHEMBUTITLOOKSLIKETHEYVEINCREASED
THEIRSECURITYABITMORETHECRYPTOLOGISTSARESTILLONLEAVEANDNONEOFTHEMARERESPONDINGTOTHEIREMAILIASSUME
WECANCONTINUETOCOUNTONYOUFORTHESEWHENWEFOUNDTHEMESSAGEITCAMEWITHASLIPOFPAPERWHICHIVEINCLUDEDAPHOTO
OFFORYOUALLTHEBESTAGENTBTHESECRETCODEISANUALLEAVEWITHOUTANYSPACES

Key Railfence size 5, offset 3, from bottom
Putting correct spaces, we can read

AGENT GREAT WORK WITH THE FIRST MESSAGE I NEVER WOULD HAVE THOUGHT IT WOULD 
BE A SIMPLE CAESAR CIPHER IT LOOKS LIKE EVIL CORP ARE DEFINITELY UP TO
SOMETHING SUSPICIOUS ROCCO AND DONNIE BOTH APPEAR TO BE SENIOR MEMBERS OF
THE COMPANY BOARD SO THIS COULD BE REALLY BIG WE MANAGED TO INTERCEPT
ANOTHER MESSAGE BETWEEN THE MBUT IT LOOKS LIKE THEY VE INCREASED THEIR
SECURITY A BIT MORE THE CRYPTOLOGISTS ARE STILL ON LEAVE AND NONE OF THEM
ARE RESPONDING TO THEIR EMAIL I ASSUME WE CAN CONTINUE TO COUNT ON YOU FOR
THESE WHEN WE FOUND THE MESSAGE IT CAME WITH A SLIP OF PAPER WHICH I VE
INCLUDED A PHOTO OF FOR YOU ALL THE BEST AGENT B THE SECRET CODE IS
ANUALLEAVE WITHOUT ANYSPACES

And ANUALLEAVE is finally the secret code which we seek

Check this video by @hyperreality for a better analysis

jekyll.environment != "beta" -%}