picoCTF Solutions
picoCTF 2019ForensicsEasy

extensions

Published: April 2, 2026

Description

This is a really weird text file TXT? Can you find the flag? Download flag.txt.

Setup

Download flag.txt from the challenge page.

Solution

  1. Step 1Check the true file type
    The file command reads the magic bytes at the start of a file to determine its actual format, ignoring the extension. Running it on flag.txt reveals it is actually a PNG image, not a text file.
    file flag.txt
    Learn more

    The file command determines a file's type by reading its magic bytes -- a special byte sequence at the very beginning of the file that identifies its format. Most file formats define a unique signature: JPEG files start with FF D8 FF, PNG files start with 89 50 4E 47 0D 0A 1A 0A (which is \x89PNG\r\n\x1a\n), ZIP files start with 50 4B 03 04, and so on.

    File extensions are merely naming conventions -- operating systems use them as hints to associate files with applications, but they carry no enforcement. Any file can be renamed with any extension regardless of its actual content. The file command bypasses the extension entirely and inspects the actual bytes, making it a reliable first step when analyzing unknown files in CTF challenges.

    This mismatch between name and content is a classic CTF technique and a real-world security concern. Attackers sometimes rename malicious executables with innocent extensions (e.g., .jpg, .pdf) to bypass naive filters. Security tools and antivirus scanners always inspect file content rather than relying solely on extensions.

  2. Step 2Rename the file and open it
    Rename the file to give it a .png extension so your image viewer will open it correctly. The flag is visible in the image.
    mv flag.txt flag.png
    eog flag.png
    Learn more

    Once the true file type is confirmed, giving the file the correct extension allows standard tools to open it properly. On Linux, eog (Eye of GNOME) is the default GNOME image viewer. Alternatives include feh, display (ImageMagick), xdg-open (which picks the system default), or simply opening the file in a web browser with firefox flag.png.

    The mv command renames files in place on the same filesystem -- no data is copied. If you want to preserve the original while also having a renamed copy, use cp flag.txt flag.png instead. In CTF work, it's usually fine to rename directly since you can always re-download the original from the challenge server.

    For future challenges: whenever a file's content doesn't match its extension, or it refuses to open properly, always run file on it first. This habit reveals hidden formats and is one of the most consistently useful reflexes in forensics and reversing challenges.

Flag

picoCTF{...}

File extensions are just naming conventions -- the actual file type is determined by magic bytes (the file signature) at the start of the file.

More Forensics