extensions picoCTF 2019 Solution

Published: April 2, 2026

Description

This is a really weird text file TXT? Can you find the flag? Download flag.txt.

Download flag.txt from the challenge page.

Solution

Want to try it yourself first?

The guided walkthrough reveals hints one step at a time.

Walk me through it
  1. Step 1
    Check the true file type
    Observation
    I noticed the challenge described flag.txt as a 'really weird text file,' which suggested its extension might not reflect its actual format, so I ran the file command to inspect the magic bytes and determine the true file type.
    The file command reads the magic bytes at the start of a file to determine its actual format, ignoring the extension. Running it on flag.txt reveals it is actually a PNG image, not a text file.
    bash
    file flag.txt

    Expected output

    flag.txt: PNG image data, 1400 x 2100, 8-bit/color RGBA, non-interlaced
    What didn't work first

    Tried: Open flag.txt directly in a text editor to read the flag

    A text editor renders the raw bytes as characters, so the PNG magic bytes and binary data appear as garbled symbols or empty space - no readable flag. The flag is encoded visually in the image pixels, not as ASCII text in the file body.

    Tried: Run strings flag.txt hoping the flag is embedded as a readable string

    strings extracts printable ASCII sequences from any binary, but the flag in this challenge is drawn into the PNG image as visible text rather than stored as a raw ASCII string in the file data. The PNG pixel data is compressed and filtered, so strings produces only noise from metadata fields.

    Learn more

    The file command determines a file's type by reading its magic bytes - a special byte sequence at the very beginning of the file that identifies its format. Most file formats define a unique signature: JPEG files start with FF D8 FF, PNG files start with 89 50 4E 47 0D 0A 1A 0A (which is \x89PNG\r\n\x1a\n), ZIP files start with 50 4B 03 04, and so on.

    File extensions are merely naming conventions - operating systems use them as hints to associate files with applications, but they carry no enforcement. Any file can be renamed with any extension regardless of its actual content. The file command bypasses the extension entirely and inspects the actual bytes, making it a reliable first step when analyzing unknown files in CTF challenges.

    This mismatch between name and content is a classic CTF technique and a real-world security concern. Attackers sometimes rename malicious executables with innocent extensions (e.g., .jpg, .pdf) to bypass naive filters. Security tools and antivirus scanners always inspect file content rather than relying solely on extensions.

  2. Step 2
    Rename the file and open it
    Observation
    I noticed the file command identified flag.txt as a PNG image, which suggested renaming it with the correct .png extension so that an image viewer could open it and display the flag visually.
    Rename the file to give it a .png extension so your image viewer will open it correctly. The flag is visible in the image.
    bash
    mv flag.txt flag.png
    bash
    eog flag.png
    What didn't work first

    Tried: Try to open flag.txt directly with eog or another image viewer without renaming first

    Most image viewers key off the file extension or MIME type when deciding how to interpret the file. eog may refuse to open a .txt file or display an error saying the format is not supported, even though the bytes are valid PNG. Renaming to .png signals the correct format to the viewer.

    Tried: Use xxd or hexdump to manually read the pixel data looking for the flag bytes

    PNG stores pixel data in a DEFLATE-compressed and filtered format, not as raw readable bytes. Manually reading the hex output would show compressed binary data with no recognizable flag pattern. The correct approach is to decode the PNG normally with an image viewer and read the flag as displayed text in the image.

    Learn more

    Once the true file type is confirmed, giving the file the correct extension allows standard tools to open it properly. On Linux, eog (Eye of GNOME) is the default GNOME image viewer. Alternatives include feh, display (ImageMagick), xdg-open (which picks the system default), or simply opening the file in a web browser with firefox flag.png.

    The mv command renames files in place on the same filesystem - no data is copied. If you want to preserve the original while also having a renamed copy, use cp flag.txt flag.png instead. In CTF work, it's usually fine to rename directly since you can always re-download the original from the challenge server.

    For future challenges: whenever a file's content doesn't match its extension, or it refuses to open properly, always run file on it first. This habit reveals hidden formats and is one of the most consistently useful reflexes in forensics and reversing challenges.

Interactive tools
  • File Magic IdentifierIdentify file types from magic numbers. Paste hex bytes or drop a file to detect PNG, JPEG, ZIP, PDF, ELF, PCAP, SQLite, and dozens of other formats.

Flag

Reveal flag

picoCTF{now_you_know_about_extensions}

File extensions are just naming conventions - the actual file type is determined by magic bytes (the file signature) at the start of the file.

Key takeaway

Every binary file format embeds a magic byte signature at its start that unambiguously identifies the format regardless of what the filename says. File extensions are naming conventions for user convenience only; any filter or parser that trusts them without also inspecting content can be bypassed by a trivial rename. In malware analysis and forensic triage, reading magic bytes is always the first step when the declared type seems suspicious.

Related reading

Want more picoCTF 2019 writeups?

Tools used in this challenge

What to try next