Description
This is a really weird text file TXT? Can you find the flag? Download flag.txt.
Setup
Download flag.txt from the challenge page.
Solution
Want to try it yourself first?
The guided walkthrough reveals hints one step at a time.
Step 1
Check the true file typeObservationI noticed the challenge described flag.txt as a 'really weird text file,' which suggested its extension might not reflect its actual format, so I ran the file command to inspect the magic bytes and determine the true file type.The file command reads the magic bytes at the start of a file to determine its actual format, ignoring the extension. Running it on flag.txt reveals it is actually a PNG image, not a text file.bashfile flag.txtExpected output
flag.txt: PNG image data, 1400 x 2100, 8-bit/color RGBA, non-interlaced
What didn't work first
Tried: Open flag.txt directly in a text editor to read the flag
A text editor renders the raw bytes as characters, so the PNG magic bytes and binary data appear as garbled symbols or empty space - no readable flag. The flag is encoded visually in the image pixels, not as ASCII text in the file body.
Tried: Run strings flag.txt hoping the flag is embedded as a readable string
strings extracts printable ASCII sequences from any binary, but the flag in this challenge is drawn into the PNG image as visible text rather than stored as a raw ASCII string in the file data. The PNG pixel data is compressed and filtered, so strings produces only noise from metadata fields.
Learn more
The
filecommand determines a file's type by reading its magic bytes - a special byte sequence at the very beginning of the file that identifies its format. Most file formats define a unique signature: JPEG files start withFF D8 FF, PNG files start with89 50 4E 47 0D 0A 1A 0A(which is\x89PNG\r\n\x1a\n), ZIP files start with50 4B 03 04, and so on.File extensions are merely naming conventions - operating systems use them as hints to associate files with applications, but they carry no enforcement. Any file can be renamed with any extension regardless of its actual content. The
filecommand bypasses the extension entirely and inspects the actual bytes, making it a reliable first step when analyzing unknown files in CTF challenges.This mismatch between name and content is a classic CTF technique and a real-world security concern. Attackers sometimes rename malicious executables with innocent extensions (e.g.,
.jpg,.pdf) to bypass naive filters. Security tools and antivirus scanners always inspect file content rather than relying solely on extensions.Step 2
Rename the file and open itObservationI noticed the file command identified flag.txt as a PNG image, which suggested renaming it with the correct .png extension so that an image viewer could open it and display the flag visually.Rename the file to give it a .png extension so your image viewer will open it correctly. The flag is visible in the image.bashmv flag.txt flag.pngbasheog flag.pngWhat didn't work first
Tried: Try to open flag.txt directly with eog or another image viewer without renaming first
Most image viewers key off the file extension or MIME type when deciding how to interpret the file. eog may refuse to open a .txt file or display an error saying the format is not supported, even though the bytes are valid PNG. Renaming to .png signals the correct format to the viewer.
Tried: Use xxd or hexdump to manually read the pixel data looking for the flag bytes
PNG stores pixel data in a DEFLATE-compressed and filtered format, not as raw readable bytes. Manually reading the hex output would show compressed binary data with no recognizable flag pattern. The correct approach is to decode the PNG normally with an image viewer and read the flag as displayed text in the image.
Learn more
Once the true file type is confirmed, giving the file the correct extension allows standard tools to open it properly. On Linux,
eog(Eye of GNOME) is the default GNOME image viewer. Alternatives includefeh,display(ImageMagick),xdg-open(which picks the system default), or simply opening the file in a web browser withfirefox flag.png.The
mvcommand renames files in place on the same filesystem - no data is copied. If you want to preserve the original while also having a renamed copy, usecp flag.txt flag.pnginstead. In CTF work, it's usually fine to rename directly since you can always re-download the original from the challenge server.For future challenges: whenever a file's content doesn't match its extension, or it refuses to open properly, always run
fileon it first. This habit reveals hidden formats and is one of the most consistently useful reflexes in forensics and reversing challenges.
Interactive tools
- File Magic IdentifierIdentify file types from magic numbers. Paste hex bytes or drop a file to detect PNG, JPEG, ZIP, PDF, ELF, PCAP, SQLite, and dozens of other formats.
Flag
Reveal flag
picoCTF{now_you_know_about_extensions}
File extensions are just naming conventions - the actual file type is determined by magic bytes (the file signature) at the start of the file.