picoCTF Solutions
PathPart of the Digital Forensics path · Step 3 of 5: Steganography
picoCTF 2025ForensicsMedium

flags are stepic

Published: April 2, 2025

Description

A seemingly harmless "Country Flags" gallery hides a covert message from the Upanzi Network. Inspect the list of flags, identify the odd entry, and extract the hidden data from its PNG.

Setup

Open the flag gallery

Spin up the challenge instance and browse the provided gallery URL.

View the page source (or curl it) to list every country entry and locate the suspicious one.

Download the referenced PNG so you can run a local stego decoder.

curl http://standard-pizzas.picoctf.net:56409/ > index.html
wget http://standard-pizzas.picoctf.net:56409/flags/upz.png

Solution

The Introduction to Steganography Tools covers Stepic (used here) alongside zsteg, steghide, stegcracker, binwalk, and Stegsolve.
  1. Step 1Spot the rogue flag
    Scrolling through the gallery reveals "Upanzi, Republic The," which links to `flags/upz.png` instead of a legitimate flag. Upanzi is a CyLab Africa reference and clearly the embedded clue.
    Learn more

    OSINT (Open Source Intelligence) and visual reconnaissance are important first steps in CTF challenges. When presented with a list of items, security researchers learn to look for anomalies - entries that don't belong, slightly misspelled names, unusual ordering, or references to fictional entities. "Upanzi" is a fictional African nation referenced in cybersecurity educational contexts, making it immediately suspicious in a list of real countries.

    Viewing page source is a fundamental web security technique. HTML comments, hidden form fields, unusual script tags, metadata, and data attributes often contain information that is not visible in the rendered page. Developers sometimes leave debug information, internal API endpoints, or - as in this challenge - clues to hidden functionality directly in the source code.

    The gallery structure is a common steganography delivery mechanism: embed a secret-carrying image among many innocuous images so that a casual observer sees only a normal image gallery. Finding the odd one out requires enumeration, which is why tools like curl combined with text search (grep) are useful for quickly scanning all entries programmatically rather than reading them visually.

  2. Step 2Install Stepic
    The writeup used Python's Stepic package to decode the LSB payload. Create a virtual environment (optional) and install Stepic via pip or your package manager.
    python3 -m venv venv && source venv/bin/activate
    pip install stepic
    Learn more

    LSB steganography (Least Significant Bit) hides data by replacing the lowest-order bit of each color channel in every pixel with bits from the secret message. The change is visually imperceptible because flipping the LSB changes a pixel's color value by only 1 out of 255. A red pixel at value 200 (11001000) becomes 201 (11001001) - completely indistinguishable to the human eye.

    Stepic is a Python library that encodes and decodes messages hidden in PNG images using LSB steganography. The -d flag (decode) reads the LSB of each RGBA channel pixel by pixel, reconstructs the binary stream, and interprets it as text. It is a straightforward implementation that does not use passwords or additional encoding, making it easy to use but also easy to detect with forensic tools.

    Other popular LSB stego tools include zsteg (Ruby, scans multiple bit planes and color channel combinations), StegSolve (Java GUI tool that visualizes individual bit planes), and steghide (supports password-protected embedding in JPEG and BMP files). When a challenge does not specify which tool was used, zsteg is often the best first choice because it automatically tries many configurations.

  3. Step 3Decode the PNG
    Feed the Upanzi PNG to Stepic with the `-d` flag. The program pulls the embedded ASCII string from the least-significant bits and prints the picoCTF flag.
    stepic -i upz.png -d
    Learn more

    The PNG format is particularly well-suited for steganography because it uses lossless compression. JPEG images use lossy compression, which discards fine-grained pixel differences during encoding - destroying LSB-embedded data in the process. PNG preserves every pixel value exactly, so LSB payloads survive saving and sharing. This is why most LSB steganography challenges use PNG or BMP files.

    Detecting LSB steganography statistically is possible through histogram analysis: LSB embedding creates subtle patterns in the distribution of pixel values that deviate from natural images. Tools like StegoVeritas and academic tools like StegExpose perform these statistical tests to detect the presence of hidden data without knowing the message content. In practice, simple single-bit LSB embedding is easily detected; more sophisticated algorithms like F5 and JPEG steganography with perceptual modeling are harder to detect.

    This challenge is a great introduction to the broader field of digital watermarking and information hiding, which has legitimate applications in copyright protection, covert communications research, and digital forensics (detecting when images have been modified or contain hidden content).

Flag

picoCTF{fl4g_h45_fl4ga66...}

Any other LSB steganography decoder (zsteg, StegSolve, etc.) works too; the payload is short plaintext.

Want more picoCTF 2025 writeups?

Browse picoCTF 2025Full library

Useful tools for Forensics

Related reading

What to try next