July 11, 2026
MultiCode | PicoCTF General Skills
Not every challenge is about cracking something mathematically complex. Sometimes the skill being tested is simpler — and more practically…
By Khushbu
3 min read
Not every challenge is about cracking something mathematically complex. Sometimes the skill being tested is simpler — and more practically useful: can you recognise what you're looking at?
This is my writeup for MultiCode, an Easy-rated General Skills challenge from picoCTF 2026.
The Challenge
"We intercepted a suspiciously encoded message, but it's clearly hiding a flag. No encryption, just multiple layers of obfuscation. Can you peel back the layers and reveal the truth?"
One file. message.txt. The challenge was clear about one thing upfront — this wasn't encryption. Just obfuscation. Multiple layers of it, stacked on top of each other.
Step 1 — Read the Message
wget [challenge URL]
cat message.txtwget [challenge URL]
cat message.txtOutput:
NjM3NjcwNjI1MDQ3NTMyNTM3NDI2MTcyNjY2NzcyNzE1ZjcyNjE3MDMwNzE3NjYxNzQ1ZjMxNzEzNzM1NmY3NjM2MzMyNTM3NDQ=NjM3NjcwNjI1MDQ3NTMyNTM3NDI2MTcyNjY2NzcyNzE1ZjcyNjE3MDMwNzE3NjYxNzQ1ZjMxNzEzNzM1NmY3NjM2MzMyNTM3NDQ=Long string. Ends in =. That trailing equals sign is one of the most recognisable patterns in encoding — it almost always means Base64.
Step 2 — Base64 First
I took the string to CyberChef and applied From Base64.
Output — a long string of numbers and letters that looked like hex values running together. No spaces, all characters in the range 0–9 and a-f.
That pattern — characters only from 0–9 and a-f, no other letters — is the visual signature of hexadecimal encoding.
Step 3 — From Hex
Applied From Hex with no delimiter.
Output — a string with percentage signs and encoded characters scattered through it. Things like %70, %69, %63.
Percentage signs followed by two hex digits is the unmistakable pattern of URL encoding — the format used to safely pass special characters through web addresses.
Step 4 :
At this point I had two layers decoded independently — Base64 and Hex — purely from recognising the visual patterns of each output. But the URL-decoded result still wasn't readable flag text.
I looked at the hints.
"The flag has been wrapped in several layers of common encodings such as ROT13, URL encoding, Hex, and Base64. Can you figure out the order to peel them back?"
The hint confirmed URL encoding was in the chain, and also mentioned ROT13. I hadn't tried URL decoding yet — I had stopped one step early. And ROT13 was the final layer I hadn't considered at all.
Step 5 — URL Decode Then ROT13
Applied URL Decode to the output from the Hex step.
Still not readable flag text — but it looked like it was getting close. The structure was almost right but the letters were shifted.
Applied ROT13 — rotates every letter by 13 positions through the alphabet. The simplest possible letter substitution.
Output:
picoCTF{nested_enc0ding_1d75be63}picoCTF{nested_enc0ding_1d75be63}Flag captured.
The Full CyberChef Pipeline
Input → From Base64 → From Hex → URL Decode → ROT13 → FlagInput → From Base64 → From Hex → URL Decode → ROT13 → FlagFour operations, one pipeline, run in sequence. CyberChef's real power is that you can stack these and watch the output change at each step until something readable appears.
What I Actually Learned
1. Encoding has visual fingerprints. Base64 ends in = and uses A-Z, a-z, 0-9, +, /. Hex only uses 0-9 and a-f. URL encoding uses %XX patterns. ROT13 produces readable-but-shifted text. Learning to recognise these on sight is a real and reusable CTF skill.
2. Hints are a tool, not a failure. I solved Base64 and Hex independently by reading the output carefully. When I genuinely got stuck, I used the hint to confirm the remaining layers. That's strategic — using available information efficiently, not cheating. Real security work involves using all available resources, not solving everything in isolation.
3. Obfuscation is not encryption. This challenge made that distinction concrete. None of these layers — Base64, Hex, URL encoding, ROT13 — are cryptographically secure. They're reversible by anyone who recognises them. Real-world data exfiltration sometimes uses exactly this kind of stacking to fool automated scanners that only check one layer deep.
4. CyberChef is genuinely powerful. This is the third challenge where CyberChef has been central to my solve. If you're not using it already — bookmark it. It handles almost every encoding and decoding operation you'll need in CTF work.
Tools Used
wget + cat — downloading and reading the message file in the webshell terminal
CyberChef — four-step decode pipeline (Base64 → Hex → URL Decode → ROT13)
Difficulty
Easy — but teaches pattern recognition that applies everywhere. The hardest part wasn't any individual decode step, it was figuring out the correct order. Two layers I got from reading the output carefully. Two came from the hint. Knowing when to use a hint and when to keep trying independently is its own skill worth developing.
GitHub: github.com/CipherCoded-Dev