OverTheWire Krypton Walkthrough: Levels 0 to 7 (Cryptography Step by Step)
OverTheWire Krypton Walkthrough: Levels 0 to 7 (Cryptography Step by Step)
Krypton is OverTheWire's cryptography wargame. Instead of breaking into servers, you break ciphers — starting with simple encodings and working up to classic cryptanalysis. It's the perfect hands-on introduction to how encryption is attacked.
This guide covers the full set of levels step by step, explaining each cipher before solving it.
Krypton's passwords live inside files on the server, so this guide shows the method and commands to recover each one.
<pass>means "the password you currently hold."
Connect with SSH (from Level 1 onward):
The challenge files for each level live in /krypton/kryptonX/.
Level 0 → 1 — Base64
Cipher: Base64 encoding (not real encryption — just a reversible text format).
The level page gives you a string like S1JZUFRPTklTR1JFQVQ=. Decode it.
This reveals the password for level 1: KRYPTONISGREAT. Use it to SSH in as krypton1.
Why it works: Base64 only encodes data so it's safe to transmit — anyone can decode it instantly. It is never a substitute for encryption.
Level 1 → 2 — ROT13
Cipher: ROT13 — shift every letter 13 places in the alphabet.
Go to the level folder and read the files. The krypton2 file holds the next password, scrambled with ROT13.
The decoded word is the password for krypton2.
Why it works: ROT13 is its own inverse — applying it twice returns the original. tr simply maps each letter to the one 13 places away.
Level 2 → 3 — Caesar Cipher (with an Encryption Oracle)
Cipher: Caesar — every letter shifted by a fixed, unknown amount.
This folder has an encrypt program that uses a hidden keyfile.dat. We can feed it known plaintext to discover the shift, then reverse it on the target ciphertext (krypton3).
If A became M, the shift is 12. Now decrypt the target by shifting back:
The result is the password for krypton3.
Why it works: Encrypting known plaintext (AAAA…) exposes the secret shift, because you can see exactly where A lands. Once the shift is known, the cipher is trivially reversed. (Adjust the tr mapping to match the shift you found.)
Level 3 → 4 — Substitution Cipher (Frequency Analysis)
Cipher: Monoalphabetic substitution — each letter is swapped for another, consistently.
This time there's no key, but you're given sample ciphertexts (found1, found2, found3). Real text has predictable letter frequencies (E, T, A, O are most common in English), and that lets you crack the mapping.
Map the most frequent ciphertext letters to the most frequent English letters, refine by guessing common words, then apply your substitution to krypton4 to read the password.
Why it works: A substitution cipher preserves letter frequencies, so the statistical "fingerprint" of English leaks straight through. Tools like an online solver (e.g. quipqiup) speed this up.
Level 4 → 5 — Vigenère Cipher (Short Key)
Cipher: Vigenère — a repeating keyword shifts each letter by a different amount, defeating simple frequency analysis.
You're told the key is short, and given ciphertexts encrypted with the same key (found1, found2). First find the key length, then recover the key.
Steps:
- Find the key length using the Kasiski examination (look for repeated sequences and the distances between them) or the Index of Coincidence.
- Split the ciphertext into columns (every Nth letter) — each column is now a simple Caesar shift.
- Frequency-analyse each column to recover each key letter.
- Decrypt
krypton5with the full key to get the password.
Why it works: Once you know the key length, a Vigenère cipher collapses into several independent Caesar ciphers — each solvable by frequency analysis. An online Vigenère solver can automate this.
Level 5 → 6 — Vigenère Cipher (Longer Key)
Cipher: Vigenère again, but with a longer key and more ciphertext to analyse (found1–found3).
The method is identical to Level 4 — only the key is harder to guess by eye, so lean on statistics.
- Use the Index of Coincidence to estimate key length reliably.
- Break it into per-position Caesar shifts.
- Recover the key and decrypt
krypton6for the password.
Why it works: More ciphertext makes the statistics stronger, not weaker — the Index of Coincidence pinpoints the key length, and frequency analysis finishes the job. A solver like the one on dcode.fr handles this in seconds.
Level 6 → 7 — Stream Cipher (The Final Challenge)
Cipher: A custom stream cipher (LFSR-style keystream). This is the toughest level.
You're given an encrypt6 program (an encryption oracle) plus sample files. The trick is to use the oracle to recover the keystream, then use that keystream to decrypt the target.
Because the keystream repeats with a fixed period, encrypting a long block of identical characters reveals the keystream. Once you have it, subtract/XOR it from the krypton7 ciphertext to recover the final password.
Why it works: A weak stream cipher reuses (or quickly repeats) its keystream. Encrypting known plaintext lets you isolate that keystream — and a reused keystream means the cipher is broken.
Level 7 — The Finish Line
Recovering the password from Level 6 completes Krypton. 🎉
You've finished Krypton — and worked through the entire history of classical cryptography, from encodings to stream ciphers.
Ciphers You Cracked
| Level | Cipher | How you broke it |
|---|---|---|
| 0 | Base64 | Decode it |
| 1 | ROT13 | Shift back 13 |
| 2 | Caesar | Known-plaintext oracle |
| 3 | Substitution | Frequency analysis |
| 4 | Vigenère (short) | Kasiski + frequency |
| 5 | Vigenère (long) | Index of Coincidence |
| 6 | Stream cipher | Keystream recovery |
Key Lessons
- Encoding ≠ encryption. Base64 and ROT13 hide nothing.
- Known-plaintext attacks are powerful: if you can encrypt your own data, you can often recover the key.
- Frequency analysis breaks any cipher that preserves letter statistics.
- Key reuse — in Vigenère or stream ciphers — is one of the deadliest mistakes in cryptography.
- Modern, properly-used algorithms (AES, etc.) exist precisely because every cipher above is breakable.
Helpful Tools
base64,tr,sort | uniq -cfor quick command-line work.- Online solvers: dcode.fr (Vigenère, Caesar, frequency analysis) and quipqiup (substitution).
xxdand short Python scripts for XOR/keystream maths on the final level.
For educational use only. OverTheWire wargames are built for safe, legal, hands-on learning.
Tags
Keep Reading