picoCTF Solutions
picoCTF 2019ForensicsHard

m00nwalk2 picoCTF 2019 Solution

Published: April 2, 2026

Description

Revisit the first moonwalk transmission. This one has a hidden message inside - one decoded image contains clues and another contains the actual hidden flag, protected by a steganography password.

Setup

Download the WAV file(s) from the challenge.

Install the Python SSTV decoder from GitHub (pystemd/slowrx or similar sstv Python library).

Install steghide: sudo apt install steghide

bash
pip3 install numpy pillow pysoundfile scipy
bash
# Clone the sstv Python decoder from GitHub

Solution

Walk me through it
  1. Step 1Decode the SSTV audio files with Python
    Use a Python SSTV library to decode the WAV file(s). The library auto-detects the SSTV mode (Scottie 1, Martin 1, etc.) and outputs image files. Decode all WAV files provided.
    python
    python3 sstv_decode.py message.wav -o decoded_message.png
    python
    python3 sstv_decode.py clue1.wav -o clue1.png
    python
    python3 sstv_decode.py clue2.wav -o clue2.png
    python
    python3 sstv_decode.py clue3.wav -o clue3.png
    Learn more

    SSTV (Slow Scan Television) encodes images as audio signals. Different SSTV modes (Scottie 1, Martin 1, Robot 36, etc.) use different image sizes, color orders, and timing. A Python decoder using scipy for signal processing can detect the mode automatically from the VIS code at the start of the audio.

  2. Step 2Read the clue images to find the steghide password
    The decoded clue images contain three hints. Clue 1 gives the steganography password: 'hidden stegosaurus'. Clue 2 hints at steganography in audio (the quieter you are the more you can hear). Clue 3 mentions a steganography tool website. Combined, the clues tell you to run steghide on the original WAV file with the password 'hidden stegosaurus'.
    Learn more

    Steghide can hide data inside image and audio files. For WAV files, it embeds data in the least significant bits of the audio samples without significantly changing the sound. The embedded data is password-protected.

  3. Step 3Extract the hidden data with steghide
    Run steghide on the main WAV file using the password found in the clue images. The extracted file contains the flag.
    bash
    steghide extract -sf message.wav -p 'hidden stegosaurus'
    bash
    cat steghide_output.txt
    Learn more

    steghide extract -sf file -p password extracts data hidden with steghide. The -sf flag specifies the stego file, and -p provides the passphrase. If no output filename is specified, steghide writes to the embedded filename. The extracted file contains the flag.

    This challenge layered two steganography techniques: SSTV audio encoding (to hide the clue images inside audio) and steghide (to hide the flag inside the original WAV). Understanding that clues are often themselves encoded requires checking every artifact in the challenge.

Flag

picoCTF{...}

Decode the SSTV WAV files to get clue images, read the password 'hidden stegosaurus' from clue 1, then run steghide extract on the main WAV file to get the flag.

Want more picoCTF 2019 writeups?

Browse picoCTF 2019Full library

Useful tools for Forensics

Related reading

What to try next