picoCTF Solutions
PathPart of the Digital Forensics path · Step 1 of 5: File Inspection and Metadata
picoCTF 2024ForensicsEasy

Scan Surprise

Published: April 3, 2024

Description

I've gotten bored of handing out flags as text. Wouldn't it be cool if they were an image instead?

Setup

QR decoding

Either download challenge.zip or SSH into atlas and cd ~/drop-in.

Ensure you have zbarimg installed if you want to decode locally.

wget https://artifacts.picoctf.net/c_atlas/3/challenge.zip && \
unzip challenge.zip && \
sudo apt install zbar-tools

Solution

  1. Step 1Locate flag.png
    Inside the extracted challenge directory, flag.png contains the QR code. If you SSHed in, it lives in ~/drop-in/flag.png.
    Learn more

    QR codes (Quick Response codes) are two-dimensional barcodes that encode data using a grid of black and white squares. They were invented in 1994 by Denso Wave for tracking automotive parts and can store URLs, plain text, contact information, or arbitrary binary data up to about 3 KB.

    In CTFs, QR codes are a common steganography-adjacent technique: the flag is hidden in plain sight but requires a specific tool to read. The image is not encrypted - a QR reader recovers the data with no key or password. The "security" is purely through obscurity.

    • QR codes include built-in error correction (up to 30% of the code can be damaged or obscured and still decode correctly).
    • The three large squares in the corners are finder patterns that help scanners locate and orient the code.
    • For forensics challenges, QR codes can also be found embedded in PDFs, inside other images, or even represented as ASCII art.
  2. Step 2Scan the code
    Use zbarimg flag.png (or a phone camera) to read the embedded text. zbarimg prints picoCTF{...} directly to stdout.
    zbarimg flag.png
    Learn more

    zbar is an open-source library and command-line suite for reading barcodes and QR codes from images and video streams. zbarimg takes an image file and prints all detected codes to stdout in the format TYPE:data, making it perfect for piping into grep or other tools.

    Alternatives include qrdecode, Python's pyzbar library, and online tools like ZXing Decoder. Phone cameras are also completely valid - modern iOS and Android detect QR codes natively in the camera viewfinder without any additional app.

    For offline/CTF use, zbarimg is the most scriptable: you can run it inside a loop over a directory of images, or pipe its output directly to the flag checker, making it efficient when challenges contain multiple QR codes or when you need to process images programmatically.

Flag

picoCTF{p33k_@_b00_a81...}

Scanning the QR code reveals the flag instantly.

Want more picoCTF 2024 writeups?

Browse picoCTF 2024Full library

Useful tools for Forensics

Related reading

What to try next