picoCTF Solutions
picoCTF 2022ForensicsMedium

St3g0

Published: July 20, 2023Updated: December 9, 2025

Description

A PNG hides data in its least significant bits. Run zsteg (or similar tools) to uncover the embedded picoCTF flag.

Setup

Download pico.flag.png

Install zsteg (e.g., `gem install zsteg`) or use a prebuilt binary.

Run zsteg against the PNG and scan the reported channels for picoCTF{...}.

zsteg pico.flag.png
zsteg pico.flag.png > output.txt && grep -oE "picoCTF\{.*\}" output.txt

Solution

  1. Step 1Enumerate hidden channels
    `zsteg pico.flag.png` automatically checks common LSB encodings. One of the entries prints the flag outright.
  2. Step 2Capture the flag
    Optionally redirect zsteg’s output to a file and use grep/cut to isolate the picoCTF line.

Flag

picoCTF{7h3r3_15_n0_5p00n_a9a1...}

If zsteg isn’t available, tools like stegsolve or binwalk can also reveal the payload, though with more manual work.