picoCTF Solutions
PathPart of the Digital Forensics path · Step 3 of 5: Steganography
picoCTF 2023ForensicsMedium

hideme picoCTF 2023 Solution

Published: April 26, 2023

Description

Every file gets a flag.

The SOC analyst saw one image been sent back and forth between two people. They decided to investigate and found out that there was more than what meets the eye here.

Read the technique guide

  • Steganography Techniques for CTF CompetitionsA systematic guide to solving CTF steganography challenges -- from LSB pixel manipulation to file-within-file extraction, audio spectrograms, metadata analysis, and when to use each technique.
  • Introduction to Steganography Tools for CTFA practical guide to the most common steganography tools used in CTF competitions: zsteg, steghide, stegcracker, Stegsolve, Stepic, and binwalk, with installation commands and when to reach for each one.

Setup

Download flag.png

Download the flag.png file from the artifacts server.

bash
wget https://artifacts.picoctf.net/c/260/flag.png

Solution

Walk me through it
Not sure what binwalk does or when to use it? The Introduction to Steganography Tools post explains binwalk alongside zsteg, steghide, and Stegsolve.
  1. Step 1Analyze the PNG file with binwalk
    Run binwalk to identify embedded data in the PNG. Two offsets show up: 0x9B3B is the ZIP central-directory entry for the secret/ directory marker, and 0x9B7C is the actual file entry for secret/flag.png. The 0x9B7C entry is the one that holds the payload bytes.
    bash
    binwalk flag.png
    DECIMALHEXDESCRIPTION
    00x0PNG image, 512 x 504, 8-bit/color RGBA, non-interlaced
    410x29Zlib compressed data, compressed
    397390x9B3BZip archive data, at least v1.0 to extract, name: secret/
    398040x9B7CZip archive data, at least v2.0 to extract, compressed size: 2944, uncompressed size: 3095, name: secret/flag.png
    429830xA7E7End of Zip archive, footer length: 22
    Learn more

    binwalk is a firmware and file analysis tool that scans a binary for known magic-byte signatures. It recognizes hundreds of file formats - ZIP, gzip, PNG, ELF, JPEG, and more - by comparing byte patterns at every offset against its signature database. When it finds a match, it reports the decimal and hexadecimal offset along with a human-readable description.

    This technique works because most file formats are self-delimiting: they start with a recognizable header (a "magic number") and often end with a trailer. A ZIP archive begins with the bytes PK\x03\x04; a PNG starts with \x89PNG\r\n\x1a\n. Concatenating a valid PNG with a valid ZIP produces a file that image viewers display correctly (they stop at the PNG IEND chunk) while ZIP-aware tools see the appended archive. This is a classic polyglot file technique used in both steganography and malware delivery.

    In digital forensics, binwalk is routinely applied to firmware dumps, memory images, and suspicious attachments to surface embedded executables, configuration files, or compressed archives. The -e flag extracts all recognized components automatically, making it a powerful first step in any file analysis workflow.

  2. Step 2Extract the embedded ZIP archive
    Unzip the PNG file directly (you could also use binwalk -e flag.png):
    bash
    unzip flag.png
    Learn more

    Because the PNG file is simultaneously a valid ZIP archive (a polyglot), standard tools that look for the ZIP central directory at the end of the file will happily extract it. unzip finds the end-of-central-directory record regardless of what precedes it, so unzip flag.png works exactly like unzip archive.zip.

    Alternatively, binwalk -e flag.png carves out all detected archives and writes them to a _flag.png.extracted/ directory. Both methods achieve the same result; the direct unzip call is slightly faster since binwalk would need to re-scan. In real forensic workflows, binwalk -e is preferred because it handles nested archives (archives within archives) and formats other than ZIP automatically.

  3. Step 3Navigate and view the flag
    Change to the secret directory and verify the file is a real PNG, then open it. Headless boxes can read the flag with strings or OCR (no GUI needed); on a desktop, any image viewer works.
    bash
    cd secret
    bash
    file flag.png
    bash
    strings flag.png | grep -i pico
    On a desktop you can also open it with any viewer (xdg-open flag.png, eog flag.png, or transfer to your local machine via scp). On WSL or a headless server, strings works if the flag is rendered as literal text in the file; otherwise use tesseract flag.png stdout for OCR.
    Learn more

    The extracted secret/flag.png is a separate, independent image file that contains the flag rendered as visible text. This two-layer approach - hiding a file-within-a-file, where the inner file is itself an image - is a straightforward demonstration of steganography by appending (distinct from bit-plane steganography where data is hidden within pixel values).

    On headless servers or WSL environments where GUI tools aren't available, you can still read image-embedded flags using strings secret/flag.png if the text is stored literally, or convert to text with tesseract secret/flag.png stdout (OCR). If the flag is purely visual, transferring the file to a local machine with scp and opening it there is the most reliable approach.

Related guides

Steganography Techniques for CTF Competitions

A systematic guide to stego triage: file-within-file extraction, LSB analysis, metadata inspection, and audio spectrograms.

How to Read and Analyze Hex Dumps

Appended files show up as unexpected bytes in a hex dump. Learn to spot magic bytes and use binwalk to extract embedded content.

Flag

picoCTF{Hiddinng_An_i...678a337}

The flag is displayed in the image and can be seen with an image viewer.

Want more picoCTF 2023 writeups?

Browse picoCTF 2023Full library

Useful tools for Forensics

Related reading

Do these first

What to try next