Description
Files can always be changed in a secret way. Can you find the flag in the cat.jpg file?
Setup
Download cat.jpg.
Solution
- Step 1Inspect the EXIF metadataRun exiftool on cat.jpg to dump all metadata fields. Look through the output for any field containing a base64-encoded string. The License field contains the encoded flag.exiftool cat.jpg
Learn more
EXIF (Exchangeable Image File Format) is a standard for storing metadata in JPEG, PNG, TIFF, and other image files. It was originally designed for camera settings -- shutter speed, aperture, GPS coordinates -- but any field can hold arbitrary text. Common fields include Make, Model, DateTime, Artist, Copyright, and Comment. Less-read fields like License, UserComment, or custom XMP properties are easy hiding spots.
exiftool by Phil Harvey is the de-facto standard for reading and writing EXIF data. It supports over 200 file formats. For CTF forensics, always run
exiftoolas a first step on any downloaded image. - Step 2Decode the base64 string from the License fieldCopy the base64 string from the License field and pipe it through base64 -d to recover the flag.echo "cGljb0NURnt0aGVfbTN0YWRhdGFfMXNfbW9kaWZpZWR9" | base64 -d
Learn more
Base64 encodes binary data (or any bytes) using a 64-character alphabet (A–Z, a–z, 0–9, +, /). It is commonly used to embed binary data in text fields or URLs. The
=padding at the end is a sign that the string is base64-encoded.base64 -don Linux (orbase64 --decodeon macOS) decodes it back to the original bytes.
Flag
picoCTF{...}
EXIF metadata fields can hold arbitrary data -- always check all fields, not just the obvious ones like title and author.