picoCTF Solutions
picoCTF 2023ForensicsMedium

MSB

Published: April 26, 2023

Description

Most-significant-bit steganography hides the flag in RGB channel bit 7. Use Stegsolve's data extractor to dump the relevant rows.

Setup

Download image

Install Stegsolve (or an equivalent tool) and open the provided PNG.

Use Analyse → Data Extract, set bit order to MSB First, and enable Red 7, Green 7, Blue 7. Scroll to the top of the extracted text.

wget http://www.caesum.com/handbook/Stegsolve.jar -O stegsolve.jar
chmod +x stegsolve.jar && java -jar stegsolve.jar

Solution

Stegsolve's bit-plane extraction is explained step-by-step in the Introduction to Steganography Tools post - including the exact settings to use for MSB vs LSB extraction.
  1. Step 1Extract MSB data
    The textual payload appears when you extract only the 7th bits of each color channel. Save the text and scan for picoCTF.
    Learn more

    In digital images each pixel's color is encoded as a set of channel values (Red, Green, Blue) typically stored as 8-bit integers (0–255). Each byte has 8 bit planes: bit 0 is the least significant bit (LSB) and bit 7 is the most significant bit (MSB). Changing bit 7 shifts a channel value by 128 - a very visible change. Changing bit 0 shifts it by 1 - imperceptible to the human eye.

    Classic LSB steganography hides data in bit 0, where changes are invisible. This challenge uses MSB steganography(bit 7) instead. Because the image was specifically chosen to have "natural" high-bit patterns (or was specifically crafted), the flag hidden in the MSB is not visually obvious. Stegsolve's data extractor reads the selected bit from every pixel in row-major order and concatenates them into a byte stream, which surfaces the hidden ASCII text.

    Stegsolve is a Java tool that provides bit-plane viewers, color filters, and frame analyzers. It is invaluable for CTF image steganography because it visualizes every bit plane at a glance - a pattern of text in an otherwise noisy bit plane is a dead giveaway that data is hidden there.

  2. Step 2Search the dump
    Use grep or strings on the saved text file to locate the flag and copy it out (remove any spaces).
    strings text | grep pico
    Learn more

    After extraction, the raw byte stream may contain the flag interleaved with garbage bytes, or the flag may be contiguous. strings filters for sequences of printable ASCII characters of a minimum length (default 4), which naturally isolates human-readable content like picoCTF{...} from surrounding binary data.

    The grep pico pipe then narrows the output to only lines containing the flag prefix. This two-step pipeline - strings | grep pattern - is a general-purpose technique applicable to any binary file: ELF binaries, firmware dumps, memory captures, or steg output. It is often the fastest first step in any binary analysis task.

    If the flag contains spaces (a side effect of how bytes align to characters in the bit stream), the challenge note reminds you to remove them. This is common with MSB extraction because each character may be spread across multiple pixels whose bit-7 values don't land on perfect character boundaries.

Flag

picoCTF{15_y0ur_que57...d55bee}

Only the MSB bits carry useful data, so LSB analysis will pass but yield nothing.

Want more picoCTF 2023 writeups?

Browse picoCTF 2023Full library

Useful tools for Forensics

Related reading

What to try next