Glory of the Garden picoCTF 2019 Solution

Description

1. Step 1Search for printable strings in the image
   The flag is appended as a plain ASCII string after the JPEG's End of Image (EOI) marker. Image viewers stop reading at EOI and never display the appended data. The strings utility reads the entire file and the flag shows up as a readable string near the end.
   bash

   strings garden.jpg | grep picoCTF

   Copied!
   Learn more

   The strings utility scans any file (binary or otherwise) and extracts sequences of printable ASCII characters that are at least 4 characters long (by default). It ignores all non-printable bytes and outputs the readable sequences. This makes it incredibly useful for inspecting compiled executables, images, audio files, and other binary formats for embedded text like flags, error messages, version strings, hardcoded credentials, and debug symbols.

   JPEG file structure: A JPEG file is organized into segments, each beginning with a two-byte marker. The End of Image (EOI) marker is FF D9 and signals the last byte of valid JPEG data. Image decoders and viewers stop parsing at this point. Any bytes after FF D9 are invisible to image viewers but fully present in the file - making this a simple data-appending steganography technique.

   Combining strings with grep is a powerful pattern: strings extracts all readable text, then grep filters for the specific pattern you need. For forensics challenges where you don't know the exact pattern, run strings file alone and scroll through the output for anything suspicious. Useful flags to know:

   • strings -n 8 file - only show strings of length 8 or more (reduces noise)
   • strings -e l file - scan for 16-bit little-endian strings (useful for Windows PE files)
   • strings -t x file - show each string's hex offset in the file

   Other common data-appending techniques in steganography and CTF challenges include appending data after the end of ZIP files (ZIP parsers read the central directory from the end of the file, so prepended data is ignored), after PDF %%EOF markers, and after PNG IEND chunks. The general principle is that file parsers for any format only read bytes they expect according to the format spec - anything outside that range is invisible to the application but present on disk. binwalk is a specialized tool that scans a file for embedded file signatures and can extract them automatically: binwalk -e suspicious_image.jpg.

   Steghide and LSB steganography are the next level up from simple data appending. LSB (Least Significant Bit) steganography modifies the least significant bit of each pixel's color channels to store hidden bits. Since the visual change per pixel is only 1/256th of the color range, the modified image is visually indistinguishable from the original. A 1920x1080 image with RGB channels can hide approximately (1920 * 1080 * 3) / 8 = ~777KB of data this way. Tools like steghide, stegsolve, and zsteg can both embed and extract LSB-hidden content.

   When no flag is visible with strings, try additional forensics steps in order: run binwalk -e to extract embedded files; use exiftool to check all metadata fields; open the file in a hex editor and look at the first and last 100 bytes; try steghide extract -sf image.jpg with an empty password; run zsteg image.png for PNG-specific LSB analysis. In CTF competitions, forensics challenges often layer multiple hiding techniques, so exhausting all quick checks before moving to manual analysis saves time and avoids missing an obvious solution.

Flag

Data appended after a JPEG's EOI marker is ignored by image viewers but fully visible to strings - a common simple steganography technique.