Description
There's something in the building. Can you retrieve the flag? Download buildings.png.
Setup
Download buildings.png from the challenge page.
Install zsteg: gem install zsteg
Solution
Want to try it yourself first?
The guided walkthrough reveals hints one step at a time.
Step 1
Run zsteg to detect LSB steganographyObservationI noticed the challenge was a PNG image called buildings.png with the hint that something is hidden inside, which suggested LSB steganography and pointed to zsteg as the purpose-built tool for extracting bit-plane encoded data from PNG files.zsteg automatically checks all combinations of bit planes (LSB, bit 2, etc.) and color channels (R, G, B, A) for hidden data in PNG files. It detects readable text almost immediately and prints the flag.bashzsteg buildings.pngExpected output
picoCTF{h1d1ng_1n_th3_b1t5}What didn't work first
Tried: Run steghide instead of zsteg on buildings.png
steghide only supports JPEG and BMP formats - it will immediately error out with 'buildings.png: the file format is not supported'. zsteg is the correct tool for PNG LSB extraction because it reads PNG bit planes directly without needing a passphrase.
Tried: Run strings on buildings.png looking for the flag
strings scans for printable ASCII sequences in raw bytes, but LSB data is spread across individual low-order bits of pixel values - not stored as contiguous ASCII bytes in the file. The flag cannot appear in strings output because the LSB encoding interleaves its bits across hundreds of pixel bytes.
Learn more
LSB steganography (Least Significant Bit) is the most common technique for hiding data in images. Each color channel of each pixel is stored as an 8-bit value (0-255). Changing the least significant bit of a value - say, from 200 (11001000) to 201 (11001001) - shifts the color by 1/255 of the full range, which is completely invisible to the human eye. By replacing the LSBs of pixels across the image with the bits of a secret message, the message is imperceptibly embedded in the image.
zsteg is a Ruby tool specifically designed to detect and extract LSB-encoded data from PNG and BMP files. It automatically tests all combinations of:
- Bit plane (bit 0 through bit 7 of each channel)
- Color channel (R, G, B, A individually or combined)
- Byte order (row-by-row vs column-by-column)
- Data interpretation (text, binary, zlib-compressed data)
When zsteg finds a bit combination that produces readable text or a known file signature, it reports it. This makes it much faster than manual bit-plane analysis. For challenges where zsteg doesn't find anything automatically, tools like Stegsolve (Java GUI) or stegpy allow manual bit-plane inspection. More sophisticated LSB steganography tools like SteghideJPEG or OpenStego support password-protected embedding, which requires brute-force or a known password to extract.
LSB steganography is widely studied in both academic research and real-world intelligence/counter-intelligence contexts. It has reportedly been used by terrorist organizations to communicate covertly, though the prevalence of this is often exaggerated in media coverage. Detection without a known carrier image ("steganalysis") is an active research area using statistical analysis of pixel distributions.
Interactive tools
- Image Metadata ViewerRead EXIF, XMP, JPEG comments, and PNG tEXt / iTXt / zTXt chunks from images entirely in the browser. Highlights flag-like values.
- Strings ExtractorPull printable text from any binary, library, or image. ASCII and UTF-16 detection, configurable minimum length, flag-like highlight, no command line needed.
Flag
Reveal flag
picoCTF{h1d1ng_1n_th3_b1t5}
LSB steganography hides data in the least-significant bit of each color channel - invisible to the eye but detectable with specialized tools like zsteg or stegsolve.