So Meta picoCTF 2019 Solution

Published: April 2, 2026

Description

Find the flag in this picture's metadata. Download pico_img.png.

Download pico_img.png from the challenge page.

Install exiftool if not already present: sudo apt install libimage-exiftool-perl

Solution

Want to try it yourself first?

The guided walkthrough reveals hints one step at a time.

Walk me through it
  1. Step 1
    Read all EXIF metadata fields
    Observation
    The challenge description says the flag is in the picture's metadata, and the challenge name 'So Meta' is a direct reference to metadata, which suggested using exiftool to dump all EXIF fields from pico_img.png and scanning the output for the flag.
    exiftool reads all metadata embedded in an image file - EXIF, IPTC, XMP, and more. The flag is stored in the Artist field. Running exiftool on the image prints every field; scan the output for picoCTF.
    bash
    exiftool pico_img.png

    Expected output

    Artist                          : picoCTF{...}
    What didn't work first

    Tried: Open the image in a hex editor and grep for 'picoCTF' manually instead of using exiftool.

    A hex search can find plaintext strings, but EXIF field values are prefixed by tag identifiers and lengths that make raw scanning fragile - a hex editor shows the bytes but does not interpret field names, so the Artist field looks like an anonymous byte sequence unless you already know the EXIF tag IDs (0x013B). exiftool parses the full EXIF IFD structure and labels every field by name, making it far faster and less error-prone.

    Tried: Run 'strings pico_img.png' to extract readable text from the file instead of exiftool.

    strings dumps any sequence of printable ASCII bytes above a minimum length, which may surface the flag if it appears contiguously in the file. However, strings has no awareness of EXIF structure - it can miss values stored in UTF-16 or multi-byte encodings, and it floods output with noise from PNG chunks and color profiles. exiftool decodes each field according to its declared type and prints a clean label-value table, making it the right tool for structured metadata extraction.

    Learn more

    EXIF (Exchangeable Image File Format) is a standard for storing metadata inside image files. Originally designed for digital cameras, it captures information like camera make/model, exposure settings, GPS coordinates, date/time, and software used. PNG, JPEG, TIFF, and many RAW formats all support EXIF.

    exiftool by Phil Harvey is the most comprehensive metadata reader and writer available. It supports over 20,000 tags across more than 150 file formats. When run on an image, it prints every metadata field it finds - EXIF, IPTC (editorial metadata), XMP (extensible metadata), ICC color profiles, and more. The flag in this challenge is hidden in the Artist field, which is designed to store the photographer's name but accepts arbitrary text.

    Other common fields that hide data in CTF challenges include:

    • Comment - a free-text comment field in JPEG and PNG
    • Description / ImageDescription - image description field
    • Copyright - copyright notice field
    • UserComment - a user-writable comment field in EXIF
    • GPS fields - can encode coordinates that decode to something meaningful

    In real-world digital forensics, EXIF metadata is extremely valuable - leaked GPS coordinates in photos have exposed the locations of journalists and whistleblowers, and camera serial numbers embedded in EXIF have been used to identify photographers. Privacy-conscious users strip EXIF before sharing images using tools like exiftool -all= image.jpg or mat2.

    XMP (Extensible Metadata Platform) is a newer metadata standard developed by Adobe and embedded as XML inside image, PDF, and video files. XMP fields can hold arbitrary custom properties using XML namespaces, making them easy to abuse for data hiding in CTF challenges. The exiftool command reads XMP fields automatically alongside EXIF and IPTC. In a forensics investigation, always check XMP fields - they can contain author history, edit counts, original file paths, software version strings, and other investigative clues that EXIF alone does not expose.

    Steganography vs. metadata hiding: hiding data in metadata fields is distinct from steganography (hiding data in the image pixel data itself). Metadata is straightforward to find with exiftool; steganography requires specialized tools. Common steganography techniques include LSB (Least Significant Bit) manipulation of pixel values, hiding data in DCT coefficients of JPEG images (used by tools like steghide and outguess), and appending data after the image's end marker. In CTF forensics challenges, always check both metadata and steganographic content before concluding that an image is clean.

    Extracting GPS data is a particularly impactful forensic capability. Smartphones automatically embed GPS coordinates in photos unless location access is disabled. exiftool -GPS* photo.jpg extracts all GPS-related fields. The coordinates can be fed directly to Google Maps or converted with the formula: decimal degrees = degrees + (minutes/60) + (seconds/3600). In OSINT investigations and digital forensics cases, GPS metadata has been used to geolocate crime scenes, verify alibi claims, and identify the positions of vehicles and people at specific times by analyzing timestamps alongside GPS data.

Interactive tools
  • Image Metadata ViewerRead EXIF, XMP, JPEG comments, and PNG tEXt / iTXt / zTXt chunks from images entirely in the browser. Highlights flag-like values.

Flag

Reveal flag

picoCTF{s0_m3ta_...}

EXIF metadata fields (artist, comment, copyright, GPS, etc.) can hold arbitrary text - always scan all fields when looking for hidden data in image files.

Key takeaway

Image files carry structured metadata (EXIF, IPTC, XMP) alongside pixel data, and every free-text field in that metadata can hold arbitrary content invisible to a normal viewer. In real-world forensics, leaked GPS coordinates in photo metadata have exposed the locations of journalists and whistleblowers, and camera serial numbers have been used to attribute photos to specific devices. Stripping metadata before publishing is a basic operational security practice; tools like exiftool and mat2 automate this.

Related reading

Want more picoCTF 2019 writeups?

Tools used in this challenge

What to try next