picoCTF Solutions
picoCTF 2023CryptographyMedium

HideToSee

Published: April 26, 2023

Description

Steghide without a passphrase extracts a ciphertext which must then be decoded with an Atbash cipher.

Setup

Download atbash.jpg

Use steghide to extract embedded data from the JPEG (no password needed).

Open the resulting encrypted.txt and run it through an Atbash substitution cipher.

wget https://artifacts.picoctf.net/c/237/atbash.jpg
steghide extract -sf atbash.jpg
cat encrypted.txt

Solution

steghide is one of several steg tools covered in the Introduction to Steganography Tools post, including installation, typical commands, and when each tool applies.
  1. Step 1Extract the payload
    Run steghide extract -sf atbash.jpg. When prompted for a passphrase, leave it blank and the tool writes encrypted.txt.
    Learn more

    Steghide hides data inside JPEG and BMP images by slightly modifying the DCT (Discrete Cosine Transform) coefficients of a JPEG or the pixel values of a BMP. The changes are statistically designed to be imperceptible to the human eye and to pass chi-square steganalysis. Data is optionally encrypted with a passphrase before embedding; when no passphrase is set (as in this challenge), steghide still performs the embedding but uses an empty key, so supplying no password at extraction time succeeds.

    The -sf flag means "stego file" - the file that carries the hidden payload. Steghide embeds a small header inside the image that records the original filename and size of the payload, which is why it knows to write encrypted.txt on extraction. This header is itself hidden using the same statistical technique, so it does not appear in a hex dump.

    Common steghide detection methods include: looking for the tool's characteristic frequency distribution shifts, running stegdetect, or simply always attempting extraction with blank/common passwords on any JPEG encountered in a forensics challenge.

  2. Step 2Decode with Atbash
    Drop the ciphertext into CyberChef, apply the Atbash recipe, and copy the resulting picoCTF flag.
    Learn more

    Atbash is one of the oldest known ciphers, originally used to encode Hebrew scripture. It is a simple monoalphabetic substitution cipher where every letter is replaced by its mirror image in the alphabet: A↔Z, B↔Y, C↔X, and so on. The cipher is its own inverse - applying Atbash twice returns the original text - so the same operation is used for both encryption and decryption.

    Because it has zero key space (there is only one possible Atbash mapping), it offers no real security. It is trivially broken by frequency analysis or by simply recognizing the pattern. CTF challenges use Atbash to test familiarity with classical ciphers, which are often the starting point before moving to more complex cryptography.

    The challenge name hidetosee combines both techniques: hide (steghide) reveals something you need to see (decode). Learning to combine tool outputs - extract then decode - is a core CTF skill applicable to multi-stage forensics and crypto challenges at every difficulty level.

Related guides

Steganography Techniques for CTF Competitions

Covers LSB analysis with zsteg and Stegsolve, file-within-file extraction, metadata inspection, and the full triage workflow for stego challenges.

Flag

picoCTF{atbash_crack_05...}

The challenge name is the hint; Atbash is the only transformation required.

Want more picoCTF 2023 writeups?

Browse picoCTF 2023Full library

Useful tools for Cryptography

Related reading

What to try next