What Lies Within picoCTF 2019 Solution

Published: April 2, 2026

Description

There's something in the building. Can you retrieve the flag? Download buildings.png.

Download buildings.png from the challenge page.

Install zsteg: gem install zsteg

Solution

Want to try it yourself first?

The guided walkthrough reveals hints one step at a time.

Walk me through it
Not sure which steganography tool to reach for? Introduction to Steganography Tools covers zsteg (used here), steghide, stegcracker, binwalk, and Stegsolve.
  1. Step 1
    Run zsteg to detect LSB steganography
    Observation
    I noticed the challenge was a PNG image called buildings.png with the hint that something is hidden inside, which suggested LSB steganography and pointed to zsteg as the purpose-built tool for extracting bit-plane encoded data from PNG files.
    zsteg automatically checks all combinations of bit planes (LSB, bit 2, etc.) and color channels (R, G, B, A) for hidden data in PNG files. It detects readable text almost immediately and prints the flag.
    bash
    zsteg buildings.png

    Expected output

    picoCTF{h1d1ng_1n_th3_b1t5}
    What didn't work first

    Tried: Run steghide instead of zsteg on buildings.png

    steghide only supports JPEG and BMP formats - it will immediately error out with 'buildings.png: the file format is not supported'. zsteg is the correct tool for PNG LSB extraction because it reads PNG bit planes directly without needing a passphrase.

    Tried: Run strings on buildings.png looking for the flag

    strings scans for printable ASCII sequences in raw bytes, but LSB data is spread across individual low-order bits of pixel values - not stored as contiguous ASCII bytes in the file. The flag cannot appear in strings output because the LSB encoding interleaves its bits across hundreds of pixel bytes.

    Learn more

    LSB steganography (Least Significant Bit) is the most common technique for hiding data in images. Each color channel of each pixel is stored as an 8-bit value (0-255). Changing the least significant bit of a value - say, from 200 (11001000) to 201 (11001001) - shifts the color by 1/255 of the full range, which is completely invisible to the human eye. By replacing the LSBs of pixels across the image with the bits of a secret message, the message is imperceptibly embedded in the image.

    zsteg is a Ruby tool specifically designed to detect and extract LSB-encoded data from PNG and BMP files. It automatically tests all combinations of:

    • Bit plane (bit 0 through bit 7 of each channel)
    • Color channel (R, G, B, A individually or combined)
    • Byte order (row-by-row vs column-by-column)
    • Data interpretation (text, binary, zlib-compressed data)

    When zsteg finds a bit combination that produces readable text or a known file signature, it reports it. This makes it much faster than manual bit-plane analysis. For challenges where zsteg doesn't find anything automatically, tools like Stegsolve (Java GUI) or stegpy allow manual bit-plane inspection. More sophisticated LSB steganography tools like SteghideJPEG or OpenStego support password-protected embedding, which requires brute-force or a known password to extract.

    LSB steganography is widely studied in both academic research and real-world intelligence/counter-intelligence contexts. It has reportedly been used by terrorist organizations to communicate covertly, though the prevalence of this is often exaggerated in media coverage. Detection without a known carrier image ("steganalysis") is an active research area using statistical analysis of pixel distributions.

Interactive tools
  • Image Metadata ViewerRead EXIF, XMP, JPEG comments, and PNG tEXt / iTXt / zTXt chunks from images entirely in the browser. Highlights flag-like values.
  • Strings ExtractorPull printable text from any binary, library, or image. ASCII and UTF-16 detection, configurable minimum length, flag-like highlight, no command line needed.

Flag

Reveal flag

picoCTF{h1d1ng_1n_th3_b1t5}

LSB steganography hides data in the least-significant bit of each color channel - invisible to the eye but detectable with specialized tools like zsteg or stegsolve.

Key takeaway

Digital image formats store pixel data in discrete channels; the least significant bits contribute almost nothing to visual fidelity but can carry a hidden payload without perceptible change. LSB steganography is detected and extracted by tools like zsteg and steghide, which scan image channels for statistical anomalies or try known passwords. The same principle scales to audio and video files, where imperceptible modifications to sample or frame data serve as covert carriers.

Related reading

Want more picoCTF 2019 writeups?

Tools used in this challenge

What to try next