picoCTF Solutions
picoCTF 2021ForensicsHard

Very very very Hidden picoCTF 2021 Solution

Published: April 2, 2026

Description

Find the hidden flag. The flag is deeply nested inside the provided file - multiple layers of hidden content.

Setup

Download the challenge file.

Install the steg toolkit.

bash
wget https://mercury.picoctf.net/static/.../challenge
bash
sudo apt install steghide binwalk
bash
sudo gem install zsteg

Solution

Walk me through it
  1. Step 1Map the layer sequence
    The challenge nests several carriers. Outer file -> binwalk extract -> inner image -> zsteg LSB -> text-encoded layer -> final flag. Walk it one stage at a time and identify every file before reaching for a tool.
    bash
    file challenge
    bash
    binwalk challenge
    bash
    binwalk -e challenge
    bash
    ls -la _challenge.extracted/
    Learn more

    Why the order matters. Each layer uses a different stego technique, so each requires the right tool. Identify the file type with file first, pick the matching tool, and only move to the next layer when the current one yields a new artifact.

    • Layer 1: an outer container (PNG/ZIP/etc.) with an appended archive that binwalk can carve.
    • Layer 2: an inner image whose LSB plane carries data that zsteg dumps.
    • Layer 3: the LSB output is itself encoded text that decodes to the flag.
  2. Step 2Apply format-specific steg tools at each layer
    PNG/BMP -> zsteg. JPEG -> steghide. ZIP -> unzip. Inspect each extracted file with file before choosing a tool. Iterate until a layer yields plain text containing the flag.
    bash
    # PNG (covers most picoCTF carriers):
    bash
    zsteg extracted_file.png
    bash
    bash
    # JPEG:
    bash
    steghide info extracted_file.jpg
    bash
    steghide extract -sf extracted_file.jpg -p ''
    bash
    bash
    # Unknown binary:
    bash
    file extracted_file
    bash
    strings extracted_file | grep picoCTF
    Learn more

    Tools by carrier:

    • PNG: zsteg (LSB across planes), pngcheck (chunk validation), stegsolve (visual bit planes).
    • JPEG: steghide (passphrase-protected), jsteg, outguess.
    • WAV/MP3: spectrogram first, then mp3stego or deepsound.
    • PDF: pdftotext, inspect object streams with qpdf --qdf --object-streams=disable.
    • Archives: try empty password, password, ctf, picoCTF for ZIPs.

    About --run-as-root. Newer binwalk refuses to extract while running as root unless you pass --run-as-root. That's only relevant when the extraction directory is owned by root (e.g., extracting inside /root/); from a normal user shell it's unnecessary.

Flag

picoCTF{...}

Deeply nested steganography requires walking each layer in order: binwalk extract -> identify file type -> apply the right tool (zsteg for PNG LSB, steghide for JPEG) -> decode the resulting text.

Want more picoCTF 2021 writeups?

Browse picoCTF 2021Full library

Useful tools for Forensics

Related reading

What to try next