picoCTF Solutions
picoCTF 2019ForensicsEasy

What Lies Within

Published: April 2, 2026

Description

There's something in the building. Can you retrieve the flag? Download buildings.png.

Setup

Download buildings.png from the challenge page.

Install zsteg: gem install zsteg

Solution

  1. Step 1Run zsteg to detect LSB steganography
    zsteg automatically checks all combinations of bit planes (LSB, bit 2, etc.) and color channels (R, G, B, A) for hidden data in PNG files. It detects readable text almost immediately and prints the flag.
    zsteg buildings.png
    Learn more

    LSB steganography (Least Significant Bit) is the most common technique for hiding data in images. Each color channel of each pixel is stored as an 8-bit value (0-255). Changing the least significant bit of a value -- say, from 200 (11001000) to 201 (11001001) -- shifts the color by 1/255 of the full range, which is completely invisible to the human eye. By replacing the LSBs of pixels across the image with the bits of a secret message, the message is imperceptibly embedded in the image.

    zsteg is a Ruby tool specifically designed to detect and extract LSB-encoded data from PNG and BMP files. It automatically tests all combinations of:

    • Bit plane (bit 0 through bit 7 of each channel)
    • Color channel (R, G, B, A individually or combined)
    • Byte order (row-by-row vs column-by-column)
    • Data interpretation (text, binary, zlib-compressed data)

    When zsteg finds a bit combination that produces readable text or a known file signature, it reports it. This makes it much faster than manual bit-plane analysis. For challenges where zsteg doesn't find anything automatically, tools like Stegsolve (Java GUI) or stegpy allow manual bit-plane inspection. More sophisticated LSB steganography tools like SteghideJPEG or OpenStego support password-protected embedding, which requires brute-force or a known password to extract.

    LSB steganography is widely studied in both academic research and real-world intelligence/counter-intelligence contexts. It has reportedly been used by terrorist organizations to communicate covertly, though the prevalence of this is often exaggerated in media coverage. Detection without a known carrier image ("steganalysis") is an active research area using statistical analysis of pixel distributions.

Flag

picoCTF{...}

LSB steganography hides data in the least-significant bit of each color channel -- invisible to the eye but detectable with specialized tools like zsteg or stegsolve.

More Forensics