Description
What's hidden in this file? nothing_up_my_sleeve
Setup
Download the file from the challenge page.
wget <challenge_url>/nothing_up_my_sleeve # download the fileSolution
Walk me through it- Step 1Identify the file typeRun
fileon the downloaded file to determine its actual type based on magic bytes, not just the filename. The file may be a PNG, ZIP, PDF, or other format despite having no extension.bashfile nothing_up_my_sleevebashxxd nothing_up_my_sleeve | head -4Learn more
File extensions are metadata - the actual file format is determined by magic bytes (also called file signatures) at the beginning of the file. The
filecommand reads these bytes and matches them against a database of known formats. Common magic bytes:- PNG:
89 50 4E 47 0D 0A 1A 0A - JPEG:
FF D8 FF - ZIP:
50 4B 03 04 - PDF:
25 50 44 46(%PDF) - ELF (Linux binary):
7F 45 4C 46
xxdproduces a hex dump of the file: the left column shows the file offset, the middle shows hex bytes, and the right shows ASCII printable characters. This gives both the raw bytes and any embedded strings at a glance. - PNG:
- Step 2Extract readable strings and scan with binwalkRun
stringsto find any human-readable content embedded in the file, then usebinwalkto scan for embedded files or compressed data that may contain the flag.bashstrings nothing_up_my_sleevebashstrings nothing_up_my_sleeve | grep -i picobashbinwalk nothing_up_my_sleevebashbinwalk -e nothing_up_my_sleeve # extract embedded filesLearn more
strings scans a binary file for sequences of printable ASCII characters at least 4 characters long (by default) and prints them. It is one of the fastest first-pass analysis tools - if the flag is stored as plaintext anywhere in the file,
strings | grep picowill find it immediately.binwalk scans a file for embedded file signatures, compressed data, and filesystem images. It is designed for analyzing firmware but works on any binary blob. The
-eflag automatically extracts anything it finds into a_nothing_up_my_sleeve.extracted/directory. Common findings include: ZIP archives appended to image files, gzip streams, squashfs filesystems, and LZMA compressed data. - Step 3Try steganography tools if data is hidden in an imageIf the file is a PNG or JPEG, use steghide, zsteg, or stegsolve to look for data hidden in the pixel values. If binwalk finds no embedded files, the flag may be hidden steganographically.bash
# For PNG files:bashzsteg nothing_up_my_sleevebash# For JPEG files:bashsteghide extract -sf nothing_up_my_sleevebash# View all LSB planes:bashstegsolve # GUI tool - open file and step through planesbash# Check metadata:bashexiftool nothing_up_my_sleeveLearn more
Steganography is the practice of hiding data within other data. In image steganography, the most common technique is LSB (Least Significant Bit) substitution: the lowest bit of each pixel's color channel is replaced with a bit of the hidden message. This changes pixel values by at most 1, making the modification imperceptible to the human eye but detectable by tools.
zsteg is a Ruby tool specialized for PNG and BMP steganography. It tries all combinations of bit planes, channel orders, and read directions, reporting any finding that looks like printable text. steghide uses a passphrase-protected embedding scheme - try an empty passphrase or common words if prompted.
exiftool reads all metadata from image, audio, and video files. CTF flags are sometimes hidden in EXIF fields like ImageDescription, Comment, or UserComment, which are invisible when viewing the image normally but trivially readable with exiftool.
- Step 4Use foremost or hexdump for remaining extractionIf other tools have not revealed the flag, use
foremostto carve files by header/footer patterns, or manually inspect the hexdump for suspicious byte patterns, padding, or appended data after the file's normal end.bashforemost -i nothing_up_my_sleeve -o output/bashxxd nothing_up_my_sleeve | tail -20 # check end of filebashhexdump -C nothing_up_my_sleeve | lessLearn more
foremost is a file carving tool originally developed for digital forensics. It scans a binary for known file header/footer byte sequences (JPEG, PNG, ZIP, PDF, and many more) and extracts the resulting files even if they are embedded in the middle of another file or concatenated at the end. It is particularly useful when binwalk misses something or when file recovery from raw disk images is needed.
Many CTF "hidden file" challenges simply concatenate a ZIP or PNG onto the end of an image file. PNG readers stop at the IEND chunk and ignore trailing bytes, so a valid PNG can have an entire ZIP archive appended after
IEND. Thetailcommand on the hexdump reveals this immediately - look for a second file signature after what should be the end of the outer format.
Flag
picoCTF{...}
Hidden data challenge - run file, strings, binwalk, and steganography tools (zsteg, steghide, exiftool) in sequence; the flag is embedded or appended in one of the layers the outer file type conceals.