picoCTF Solutions
picoCTF 2019ForensicsHard

Investigative Reversing 1 picoCTF 2019 Solution

Published: April 2, 2026

Description

Two files: mystery binary and mystery.png. Run mystery to create a file with the flag embedded via LSB steganography.

Setup

Download both files.

bash
wget <url>/mystery
bash
wget <url>/mystery.png
bash
chmod +x mystery

Solution

Walk me through it
  1. Step 1Run the binary
    Execute mystery with mystery.png. It will produce an output file (possibly named mystery2.png or similar). Observe what files are created.
    bash
    ./mystery mystery.png
    bash
    ls -la
    Learn more

    Run strace ./mystery mystery.png to observe all system calls including file opens and writes. This quickly reveals what output file the binary creates without needing to fully decompile it.

  2. Step 2Decompile to understand the steganography
    Open mystery in Ghidra. Find the function that writes pixel data. Note which bit position is used to encode each flag character and the order of pixels used.
    bash
    ghidra mystery &
    Learn more

    LSB steganography is defined by three parameters: which color channel (R, G, or B), which bit position (LSB = bit 0, but could be any bit), and the order pixels are read (row-major, column-major, or a custom sequence).

  3. Step 3Extract the flag from the output image
    Write a Python Pillow script to extract the flag from the output PNG using the steganography parameters discovered in Ghidra.
    python
    python3 << 'EOF'
from PIL import Image

img = Image.open('mystery2.png')  # or whatever the output file is
width, height = img.size
pixels = img.load()

# Extract bits from LSB of blue channel (example - verify in Ghidra)
bits = ''
for y in range(height):
    for x in range(width):
        r, g, b = pixels[x, y][:3]
        bits += str(b & 1)

flag = ''
for i in range(0, min(len(bits), 400) - 7, 8):
    byte = int(bits[i:i+8], 2)
    if byte == 0:
        break
    flag += chr(byte)

print(flag)
EOF
    Learn more

    The Investigative Reversing series (parts 0-4) progressively increases complexity: part 0 has a single encoding pass, while later parts involve multiple images, multiple encoding rounds, or more obscure steganography schemes.

Flag

picoCTF{...}

Run the binary to produce the modified PNG, then extract LSB-encoded data from the output image using Python Pillow.

Want more picoCTF 2019 writeups?

Browse picoCTF 2019Full library

Useful tools for Forensics

Related reading

What to try next