Description
Files can always be changed in a secret way. Can you find the flag in the cat.jpg file?
Setup
Download cat.jpg.
wget <url>/cat.jpgSolution
Walk me through it- Step 1Inspect the EXIF metadataRun exiftool on cat.jpg to dump all metadata fields. Look through the output for any field containing a base64-encoded string. The License field contains the encoded flag.bash
exiftool cat.jpgLearn more
EXIF (Exchangeable Image File Format) is a standard for storing metadata in JPEG, PNG, TIFF, and other image files. It was originally designed for camera settings - shutter speed, aperture, GPS coordinates - but any field can hold arbitrary text. Common fields include Make, Model, DateTime, Artist, Copyright, and Comment. Less-read fields like License, UserComment, or custom XMP properties are easy hiding spots.
exiftool by Phil Harvey is the de-facto standard for reading and writing EXIF data. It supports over 200 file formats. For CTF forensics, always run
exiftoolas a first step on any downloaded image.Privacy risks of EXIF data: By default, smartphones embed GPS coordinates, device model, and serial numbers into every photo. Sharing an unstripped photo online can reveal your precise home location. Journalists, activists, and security researchers routinely strip EXIF data before publishing images. Tools like
exiftool -all= image.jpgremove all metadata in place. Social media platforms like Facebook and Twitter strip EXIF on upload, but many file-sharing sites and email attachments do not.EXIF fields commonly used in CTF steganography: Beyond the standard camera fields, useful hiding spots include
Comment,UserComment,Artist,Copyright,Software,License, and XMP (Extensible Metadata Platform) fields embedded as an XML block inside the file. The challenge uses theLicensefield, which most users would never inspect. When no obviously suspicious field stands out, runexiftool -a -u image.jpg- the-uflag shows unknown or non-standard tags that exiftool recognizes but does not normally display.Other metadata formats: PNG files use iTXt/tEXt/zTXt chunks instead of EXIF. PDF files embed metadata in an XMP stream. ZIP and Office documents store metadata in
[Content_Types].xmlanddocProps/. Always match the metadata inspection tool to the file format - exiftool handles all of these, but dedicated tools likepngcheck(for PNG chunks) can reveal additional detail. - Step 2Decode the base64 string from the License fieldCopy the base64 string from the License field and pipe it through base64 -d to recover the flag.bash
echo "cGljb0NURnt0aGVfbTN0YWRhdGFfMXNfbW9kaWZpZWR9" | base64 -dLearn more
Base64 encodes binary data (or any bytes) using a 64-character alphabet (A-Z, a-z, 0-9, +, /). It is commonly used to embed binary data in text fields or URLs. The
=padding at the end is a sign that the string is base64-encoded.base64 -don Linux (orbase64 --decodeon macOS) decodes it back to the original bytes.Recognizing base64 on sight: Base64 strings consist only of alphanumeric characters,
+,/, and trailing=padding. The string length is always a multiple of 4 (with padding). A rough rule of thumb: base64-encoded text is about 33% longer than the original binary. If you see a long string of alphanumerics with no spaces and ending in=or==, it is almost certainly base64. Useecho "string" | base64 -dto test immediately.
Alternate Solution
Once you copy the Base64 string from the License EXIF field, decode it with the Base64 Decoder on this site - paste and click decode to reveal the flag instantly without needing a terminal.
Flag
picoCTF{...}
EXIF metadata fields can hold arbitrary data - always check all fields, not just the obvious ones like title and author.