picoCTF Solutions
picoCTF 2022ForensicsMedium

St3g0

Published: July 20, 2023

Description

A PNG hides data in its least significant bits. Run zsteg (or similar tools) to uncover the embedded picoCTF flag.

Setup

Download pico.flag.png

Install zsteg (e.g., `gem install zsteg`) or use a prebuilt binary.

Run zsteg against the PNG and scan the reported channels for picoCTF{...}.

zsteg pico.flag.png
zsteg pico.flag.png > output.txt && grep -oE "picoCTF\{.*\}" output.txt

Solution

The Introduction to Steganography Tools covers zsteg (used here for PNG LSB extraction) alongside steghide, stegcracker, binwalk, and Stegsolve.
  1. Step 1Enumerate hidden channels
    `zsteg pico.flag.png` automatically checks common LSB encodings. One of the entries prints the flag outright.
    Learn more

    LSB steganography hides data in the least significant bits of pixel color values. In a 24-bit RGB image, each pixel has three channels (R, G, B) each with 8 bits (0-255). Changing the last 1-2 bits alters the color value by at most 1-3 out of 255 - a difference invisible to the human eye but detectable programmatically.

    zsteg is a Ruby tool that automatically tests many LSB configurations: different bit depths (1-8 bits), different channel orders (R, G, B, alpha), different read orders (row by row, column by column, etc.), and different encodings. It checks for known file signatures and readable strings in all combinations, making it far faster than manual analysis.

    PNG is the preferred format for LSB steganography because it uses lossless compression - every pixel value is stored exactly. JPEG uses lossy compression, which modifies pixel values during encoding, destroying hidden LSB data. This is why steganography tools almost always specify PNG format for the output carrier image.

  2. Step 2Capture the flag
    Optionally redirect zsteg's output to a file and use grep/cut to isolate the picoCTF line.
    Learn more

    Beyond zsteg, the steganography forensics toolkit includes: steghide (hides data in JPEG/BMP using passphrase encryption), stegsolve (Java GUI for visualizing individual bit planes and channel combinations), binwalk (detects and extracts embedded files based on magic bytes), and exiftool (reads/writes metadata in image files).

    In CTF competitions, when you receive an image, the standard checklist is: check file metadata with exiftool, run strings for readable text, try binwalk -e to extract embedded files, check LSB with zsteg (PNG) or steghide extract (JPEG), and examine individual bit planes with stegsolve. Each tool covers different hiding techniques.

    Real-world steganography has been used in malware command-and-control: malware downloads seemingly innocent images from social media, extracts hidden commands from pixel data, and executes them - a technique that evades network monitoring because the traffic looks like ordinary image downloads. This technique is called stegomalware.

Flag

picoCTF{7h3r3_15_n0_5p00n_a9a1...}

If zsteg isn’t available, tools like stegsolve or binwalk can also reveal the payload, though with more manual work.

Want more picoCTF 2022 writeups?

Browse picoCTF 2022Full library

Useful tools for Forensics

Related reading

What to try next