So Meta picoCTF 2019 Solution

Description

1. Step 1Read all EXIF metadata fields
   exiftool reads all metadata embedded in an image file - EXIF, IPTC, XMP, and more. The flag is stored in the Artist field. Running exiftool on the image prints every field; scan the output for picoCTF.
   bash

   exiftool pico_img.png

   Copied!
   Learn more

   EXIF (Exchangeable Image File Format) is a standard for storing metadata inside image files. Originally designed for digital cameras, it captures information like camera make/model, exposure settings, GPS coordinates, date/time, and software used. PNG, JPEG, TIFF, and many RAW formats all support EXIF.

   exiftool by Phil Harvey is the most comprehensive metadata reader and writer available. It supports over 20,000 tags across more than 150 file formats. When run on an image, it prints every metadata field it finds - EXIF, IPTC (editorial metadata), XMP (extensible metadata), ICC color profiles, and more. The flag in this challenge is hidden in the Artist field, which is designed to store the photographer's name but accepts arbitrary text.

   Other common fields that hide data in CTF challenges include:

   • Comment - a free-text comment field in JPEG and PNG
   • Description / ImageDescription - image description field
   • Copyright - copyright notice field
   • UserComment - a user-writable comment field in EXIF
   • GPS fields - can encode coordinates that decode to something meaningful

   In real-world digital forensics, EXIF metadata is extremely valuable - leaked GPS coordinates in photos have exposed the locations of journalists and whistleblowers, and camera serial numbers embedded in EXIF have been used to identify photographers. Privacy-conscious users strip EXIF before sharing images using tools like exiftool -all= image.jpg or mat2.

   XMP (Extensible Metadata Platform) is a newer metadata standard developed by Adobe and embedded as XML inside image, PDF, and video files. XMP fields can hold arbitrary custom properties using XML namespaces, making them easy to abuse for data hiding in CTF challenges. The exiftool command reads XMP fields automatically alongside EXIF and IPTC. In a forensics investigation, always check XMP fields - they can contain author history, edit counts, original file paths, software version strings, and other investigative clues that EXIF alone does not expose.

   Steganography vs. metadata hiding: hiding data in metadata fields is distinct from steganography (hiding data in the image pixel data itself). Metadata is straightforward to find with exiftool; steganography requires specialized tools. Common steganography techniques include LSB (Least Significant Bit) manipulation of pixel values, hiding data in DCT coefficients of JPEG images (used by tools like steghide and outguess), and appending data after the image's end marker. In CTF forensics challenges, always check both metadata and steganographic content before concluding that an image is clean.

   Extracting GPS data is a particularly impactful forensic capability. Smartphones automatically embed GPS coordinates in photos unless location access is disabled. exiftool -GPS* photo.jpg extracts all GPS-related fields. The coordinates can be fed directly to Google Maps or converted with the formula: decimal degrees = degrees + (minutes/60) + (seconds/3600). In OSINT investigations and digital forensics cases, GPS metadata has been used to geolocate crime scenes, verify alibi claims, and identify the positions of vehicles and people at specific times by analyzing timestamps alongside GPS data.

Flag

EXIF metadata fields (artist, comment, copyright, GPS, etc.) can hold arbitrary text - always scan all fields when looking for hidden data in image files.