picoCTF Solutions
picoCTF 2021ForensicsMedium

Weird File picoCTF 2021 Solution

Published: April 2, 2026

Description

What's in this weird file? Download challenge.elf.

Setup

Download the challenge file.

bash
wget https://mercury.picoctf.net/static/.../challenge.elf

Solution

Walk me through it
  1. Step 1Identify the real file type
    Despite the .elf extension, the file is not an ELF binary. Run the file command to read the magic bytes: it reports a GIMP XCF image (GIMP's native layered-image format). The misleading extension is the whole point.
    bash
    file challenge.elf
    Learn more

    The file command reads the first few bytes (the magic bytes) of a file to determine its true type, ignoring the filename extension entirely. A GIMP XCF file begins with the ASCII signature gimp xcf, so file identifies it as "GIMP XCF image data" no matter what the name says.

    This matters in CTFs and in real triage: files are routinely mislabeled to confuse analysts or evade extension-based filters. Always identify a file by its magic bytes, never by its name or extension alone.

  2. Step 2Open the XCF in GIMP and inspect its layers
    Open the file in GIMP (rename it to challenge.xcf if you like, but GIMP opens it either way). XCF preserves the full layer stack of a GIMP project, so open the Layers dialog (Windows -> Dockable Dialogs -> Layers) and look at every layer, not just the one shown on top.
    bash
    gimp challenge.elf
    bash
    # In GIMP: Windows -> Dockable Dialogs -> Layers
    Learn more

    XCF is GIMP's native project format. Unlike a flat PNG or JPEG, it stores the entire editing state: every layer, its visibility, opacity, and blend mode. That makes it a natural hiding place - a layer can sit underneath an opaque layer, or have its visibility turned off, so the rendered image looks innocent while extra content waits in the layer stack.

    The Layers dialog lists each layer with an eye icon for visibility. The flag is on a layer that is hidden or obscured by the layer above it.

  3. Step 3Reveal the hidden layer and read the flag
    Toggle the visibility (eye icon) of each layer, or reorder/hide the top layer, or drop the opacity of the covering layer, until the hidden layer's text is exposed. The flag is rendered as text on that layer; read it straight off the canvas.
    bash
    # In GIMP's Layers dialog:
    bash
    #   - toggle the eye icon on each layer, and/or
    bash
    #   - drag the covering layer below, and/or
    bash
    #   - lower the covering layer's opacity
    bash
    # until the flag text is visible on the canvas.
    Learn more

    Toggling layer visibility (the eye icon) or moving the obscuring layer out of the way exposes whatever is underneath. Because the flag is drawn as visible text on the hidden layer, no extraction tooling is needed once it is on top - you simply read it.

    The lesson: layered image formats (XCF, PSD, multi-page TIFF) carry far more than the flat preview suggests. When you get one in a forensics challenge, open it in its native editor and walk the full layer stack.

Flag

picoCTF{...}

The .elf file is actually a GIMP XCF image. Open it in GIMP and reveal the hidden layer (toggle visibility / reorder / lower opacity of the covering layer) to read the flag text off the canvas.

Want more picoCTF 2021 writeups?

Browse picoCTF 2021Full library

Tools used in this challenge

Related reading

What to try next