picoCTF Solutions
picoCTF 2019ForensicsHard

Investigative Reversing 0 picoCTF 2019 Solution

Published: April 2, 2026

Description

Download the mystery binary and mystery.png. Run the binary on the PNG to find the hidden flag.

Setup

Download both files: the mystery binary and mystery.png.

bash
wget <url>/mystery
bash
wget <url>/mystery.png
bash
chmod +x mystery

Solution

Walk me through it
  1. Step 1Run the binary on the PNG
    Execute mystery with mystery.png as input. The binary reads the PNG and either produces an output file or modifies mystery.png in place to hide the flag using steganography.
    bash
    ./mystery mystery.png
    Learn more

    Image steganography hides data within image files by modifying pixel values in ways that are invisible to the naked eye. Common techniques: LSB (Least Significant Bit) steganography encodes data in the lowest bit of each color channel, changing pixel values by at most 1.

  2. Step 2Analyze the binary in Ghidra
    Open mystery in Ghidra. Find where it reads the PNG and where it writes hidden data. Understand which bytes or bits are modified and how the flag is encoded into the image.
    bash
    file mystery
    bash
    ghidra mystery &
    Learn more

    The binary likely uses libpng to read the PNG, then modifies specific bytes in the pixel data array before writing the output. The modification encodes the flag bytes using bit manipulation.

  3. Step 3Extract the hidden data
    Based on the Ghidra analysis, write a Python script to extract the encoded flag from the PNG pixel data.
    python
    python3 << 'EOF'
from PIL import Image

img = Image.open('mystery.png')
pixels = list(img.getdata())

# Extract LSB from each pixel's red channel (example)
bits = ''
for px in pixels:
    bits += str(px[0] & 1)

# Group into bytes
flag = ''
for i in range(0, len(bits) - 7, 8):
    byte = int(bits[i:i+8], 2)
    if byte == 0:
        break
    flag += chr(byte)

print(flag)
EOF
    Learn more

    Python Pillow (PIL) provides easy access to image pixel data. img.getdata() returns a list of pixel tuples. For RGB images each tuple is (R, G, B). The LSB of each component can encode one bit of hidden data.

Flag

picoCTF{...}

Run the mystery binary on mystery.png, then extract the LSB-encoded data from the resulting PNG using Python Pillow.

Want more picoCTF 2019 writeups?

Browse picoCTF 2019Full library

Useful tools for Forensics

Related reading

What to try next