Glory of the Garden

Description

Solution

1. Step 1Search for printable strings in the image
   The flag is appended as a plain ASCII string after the JPEG's End of Image (EOI) marker. Image viewers stop reading at EOI and never display the appended data. The strings utility reads the entire file and the flag shows up as a readable string near the end.
   strings garden.jpg | grep picoCTFCopied!
   Learn more

   The strings utility scans any file (binary or otherwise) and extracts sequences of printable ASCII characters that are at least 4 characters long (by default). It ignores all non-printable bytes and outputs the readable sequences. This makes it incredibly useful for inspecting compiled executables, images, audio files, and other binary formats for embedded text like flags, error messages, version strings, hardcoded credentials, and debug symbols.

   JPEG file structure: A JPEG file is organized into segments, each beginning with a two-byte marker. The End of Image (EOI) marker is FF D9 and signals the last byte of valid JPEG data. Image decoders and viewers stop parsing at this point. Any bytes after FF D9 are invisible to image viewers but fully present in the file -- making this a simple data-appending steganography technique.

   Combining strings with grep is a powerful pattern: strings extracts all readable text, then grep filters for the specific pattern you need. For forensics challenges where you don't know the exact pattern, run strings file alone and scroll through the output for anything suspicious. Useful flags to know:

   • strings -n 8 file -- only show strings of length 8 or more (reduces noise)
   • strings -e l file -- scan for 16-bit little-endian strings (useful for Windows PE files)
   • strings -t x file -- show each string's hex offset in the file

Flag

picoCTF{...}

Data appended after a JPEG's EOI marker is ignored by image viewers but fully visible to strings -- a common simple steganography technique.