Description
Steghide without a passphrase extracts a ciphertext which must then be decoded with an Atbash cipher.
Setup
Use steghide to extract embedded data from the JPEG (no password needed).
Open the resulting encrypted.txt and run it through an Atbash substitution cipher.
wget https://artifacts.picoctf.net/c/237/atbash.jpgsteghide extract -sf atbash.jpg -p ''cat encrypted.txtSolution
Want to try it yourself first?
The guided walkthrough reveals hints one step at a time.
Step 1
Extract the payloadObservationI noticed the challenge provided a JPEG file (atbash.jpg) and the name 'hidetosee' implied something was concealed inside the image, which suggested using steghide, the standard tool for embedding and extracting hidden data from JPEG files via DCT coefficient manipulation.Run steghide extract -sf atbash.jpg -p ''. The -p '' flag passes an empty passphrase non-interactively (handy in scripts and CI), and steghide writes encrypted.txt to the current directory.What didn't work first
Tried: Run zsteg on atbash.jpg to find hidden data.
zsteg only analyzes PNG and BMP files using LSB (Least Significant Bit) techniques; it cannot read JPEG files at all and will error out. Steghide is the correct tool here because it uses DCT coefficient manipulation specific to JPEG, not LSB embedding.
Tried: Run steghide extract -sf atbash.jpg without the -p '' flag and press Enter when prompted for a passphrase.
In interactive mode steghide expects you to type the passphrase and press Enter; pressing Enter submits an empty string which should work, but omitting -p '' entirely in a script causes steghide to hang waiting for terminal input. Using -p '' passes the empty passphrase non-interactively and works reliably in both manual and scripted contexts.
Learn more
Steghide hides data inside JPEG and BMP images by slightly modifying the DCT (Discrete Cosine Transform) coefficients of a JPEG or the pixel values of a BMP. The changes are statistically designed to be imperceptible to the human eye and to pass chi-square steganalysis. Data is optionally encrypted with a passphrase before embedding; when no passphrase is set (as in this challenge), steghide still performs the embedding but uses an empty key, so supplying no password at extraction time succeeds.
The
-sfflag means "stego file" - the file that carries the hidden payload. Steghide embeds a small header inside the image that records the original filename and size of the payload, which is why it knows to writeencrypted.txton extraction. This header is itself hidden using the same statistical technique, so it does not appear in a hex dump.Common steghide detection methods include: looking for the tool's characteristic frequency distribution shifts, running stegdetect, or simply always attempting extraction with blank/common passwords on any JPEG encountered in a forensics challenge.
Step 2
Decode with AtbashObservationI noticed the extracted file was named encrypted.txt and the challenge artifact was called atbash.jpg, which directly named the Atbash cipher and suggested applying that classical substitution to decode the ciphertext into the flag.Drop the ciphertext into CyberChef, apply the Atbash recipe, and copy the resulting picoCTF flag.Learn more
Atbash is one of the oldest known ciphers, originally used to encode Hebrew scripture. The mapping reflects every letter to its mirror position:
E(x) = 25 - xin zero-based indexing (A=0...Z=25). Because25 - (25 - x) = x, the cipher is its own inverse - apply once to encrypt, again to decrypt.Mapping: A B C D E ... M N ... X Y Z | | | | | | | | | | Z Y X W V ... N M ... C B A Worked example on 'kbXL': k(10) -> 25 - 10 = 15 -> 'p' b(1) -> 25 - 1 = 24 -> 'y' (case preserved) X(23) -> 25 - 23 = 2 -> 'C' L(11) -> 25 - 11 = 14 -> 'O' Result: 'pyCO' ... continue across the rest of the ciphertext to land on 'picoCTF{...}'. Self-inverse property (round trip): kbXL --atbash--> pyCO --atbash--> kbXL Two applications return the original, which is why one Atbash recipe in CyberChef both encrypts and decrypts; you never need a separate "decrypt" button.Atbash has zero key space (only one possible mapping), so it offers no real security. CTF challenges use it to test familiarity with classical ciphers. The challenge name hidetosee combines both techniques: hide (steghide) reveals something you need to see (decode).
Interactive tools
- StegallDrop any file and Stegall runs every applicable steg technique in parallel: LSB sweeps, bit planes, spectrograms, polyglot carving, metadata, whitespace decode, and a 6-layer base/ROT/XOR/zlib cascade. Recursively unpacks results and surfaces flag matches.
- Hex ViewerView text or raw hex bytes as a xxd-style hex dump with byte offset, hex columns, and ASCII sidebar. Highlights printable characters and null bytes.
- Strings ExtractorPull printable text from any binary, library, or image. ASCII and UTF-16 detection, configurable minimum length, flag-like highlight, no command line needed.
Flag
Reveal flag
picoCTF{atbash_crack_05...}
The challenge name is the hint; Atbash is the only transformation required.