picoCTF Solutions
picoCTF 2021ForensicsMedium

Milkslap picoCTF 2021 Solution

Published: April 2, 2026

Description

Milk... Slap... Do the words make sense to you? Download milkslap.png.

Setup

Open the challenge URL in a browser to find the embedded image.

bash
# Open the challenge URL and view source / Network tab

Solution

Walk me through it
Companion reading: CTF Steganography Techniques explains the LSB encoding zsteg unpacks, and Steganography Tools lists zsteg / stegsolve / steghide and when to reach for each.
  1. Step 1Discover the embedded image from the page
    Open the page and either view source or open DevTools Network tab. The image URL appears as an <img src="..."> reference (or as a background-image in CSS). Pull it down with wget so you can run tools on the file directly.
    bash
    curl -s <CHALLENGE_URL> | grep -Eo 'src="[^"]+\.png"' | sort -u
    bash
    wget <DISCOVERED_PNG_URL> -O milkslap.png
    bash
    file milkslap.png
    Learn more

    Why scan the page first. picoCTF stego challenges often hide the actual image one or two levels into the HTML rather than in a download link. view-source: in the browser address bar, or curl <url> piped through grep, reveals every resource the page loads. CSS background-images and lazy-loaded data-src attributes are common tricks - check both.

  2. Step 2Run zsteg to detect LSB steganography
    Use zsteg on the image to automatically detect and extract data hidden in the least significant bits of the image pixels. The flag is hidden using LSB steganography.
    bash
    zsteg milkslap.png
    bash
    zsteg -a milkslap.png  # exhaustive
    Learn more

    LSB steganography (Least Significant Bit) hides data by replacing the lowest bit of each pixel color channel with a bit of the secret message. Because the change is only 1 out of 255 possible values for each channel, it is virtually invisible to the human eye but detectable with the right tools.

    zsteg is a Ruby-based tool specifically designed to detect various steganographic methods in PNG and BMP files. It tries multiple combinations: different bit planes (LSB, bit 1, bit 2...), different color channels (R, G, B, A), different byte orderings, and both row and column scans. Its output shows detected data along with the method used to extract it.

    If zsteg is not available, you can use stegsolve (a Java application) to manually examine different bit planes visually. Alternatively, steghide handles JPEG and BMP files. For a purely manual approach, a Python script using PIL can extract LSB values: pixel[0] & 1 gives the red channel LSB of each pixel.

Flag

picoCTF{...}

The flag was hidden in the least significant bits of the image's pixel data - a classic LSB steganography technique that is imperceptible to the naked eye.

Want more picoCTF 2021 writeups?

Browse picoCTF 2021Full library

Useful tools for Forensics

Related reading

What to try next