picoCTF Solutions
PathPart of the Digital Forensics path · Step 1 of 5: File Inspection and Metadata
picoCTF 2024ForensicsEasy

CanYouSee picoCTF 2024 Solution

Published: April 3, 2024

Description

How about some hide and seek?

Read the technique guide

Setup

Download unknown.zip

Download the file and unzip it to expose ukn_reality.jpg.

All work happens locally with command-line tools.

bash
wget https://artifacts.picoctf.net/c_titan/6/unknown.zip && \
unzip unknown.zip

Solution

Walk me through it
  1. Step 1Inspect EXIF metadata
    Run exiftool to dump every field. The Attribution URL entry stands out because it holds a Base64-looking string instead of a normal URL.
    bash
    exiftool ukn_reality.jpg
    ...
Attribution URL                : aGVsbG8gd29ybGQ=
...
    Learn more

    exiftool reads, writes, and edits metadata across a wide variety of file formats. Run it without arguments and it dumps every field it can find: EXIF, IPTC, XMP, ICC Profile, JFIF, and more. For forensics this broad dump is always the right first step.

    The Attribution URL is an XMP field typically used to credit the source of an image, so legitimate values look like https://example.com/photo. A long alphanumeric string with no slashes or dots is an obvious signal that something has been encoded into the field.

    Base64 uses only A-Z, a-z, 0-9, +, /, and = (padding). If a metadata field contains only these characters and its length is a multiple of 4, it's almost certainly Base64. Recognising that pattern in otherwise structured metadata is a core forensics reflex.

  2. Step 2Extract just the encoded value
    A quick pipeline can isolate the Attribution URL value, strip whitespace, and hand the text to base64 -d. The decoded output is the entire flag.
    bash
    exiftool ukn_reality.jpg | grep "Attribution URL" | cut -d":" -f2- | tr -d " " | base64 -d
    Learn more

    The pipeline chains small Unix tools, each with a single responsibility: grep finds the line, cut -d":" -f2- takes everything after the first colon, tr -d " " strips whitespace, and base64 -d decodes the result.

    The trailing dash in -f2- is the important detail. -f2 alone takes only the second colon-delimited field, which would clip the value if the URL itself contained colons (e.g. https://...). -f2- means "field 2 to the end," which keeps embedded colons intact.

    Base64 reverses the lossless encoding that maps arbitrary binary into printable ASCII. Every 3 input bytes become 4 output characters, which is why the encoded string is roughly 33% longer than the data it carries.

    This grep then extract then decode pattern shows up constantly in CTFs and real forensics. The shell one-liner is faster than a GUI tool and the muscle memory transfers directly to log analysis and incident response.

Related guides

Steganography Tools for CTFs

exiftool is one of the workhorse stego tools. The guide covers it alongside steghide, zsteg, binwalk, and the other utilities that recover data from carrier files.

Flag

picoCTF{ME74D47A_HIDD3N_a6d...}

Decoding the Attribution URL entry reveals the complete flag shown above.

Want more picoCTF 2024 writeups?

Browse picoCTF 2024Full library

Tools used in this challenge

Related reading

What to try next