picoCTF Solutions
picoCTF 2023ForensicsMedium

hideme

Published: April 26, 2023Updated: December 9, 2025

Description

Every file gets a flag.

The SOC analyst saw one image been sent back and forth between two people. They decided to investigate and found out that there was more than what meets the eye here.

Setup

Download flag.png

Download the flag.png file from the artifacts server.

wget https://artifacts.picoctf.net/c/260/flag.png

Solution

  1. Step 1Analyze the PNG file with binwalk
    Run binwalk to identify embedded data in the PNG file. The output shows a ZIP archive embedded at offset 0x9B7C containing a secret/flag.png file:
    binwalk flag.png
    DECIMALHEXDESCRIPTION
    00x0PNG image, 512 x 504, 8-bit/color RGBA, non-interlaced
    410x29Zlib compressed data, compressed
    397390x9B3BZip archive data, at least v1.0 to extract, name: secret/
    398040x9B7CZip archive data, at least v2.0 to extract, compressed size: 2944, uncompressed size: 3095, name: secret/flag.png
    429830xA7E7End of Zip archive, footer length: 22
  2. Step 2Extract the embedded ZIP archive
    Unzip the PNG file directly (you could also use binwalk -e flag.png):
    unzip flag.png
  3. Step 3Navigate and view the flag
    Change to the secret directory and open the flag image:
    cd secret
    eog flag.png
    Note: eog is a Linux image viewer and can be installed with sudo apt install eog

Flag

picoCTF{Hiddinng_An_i...678a337}

The flag is displayed in the image and can be seen with an image viewer.