Description
A seemingly harmless “Country Flags” gallery hides a covert message from the Upanzi Network. Inspect the list of flags, identify the odd entry, and extract the hidden data from its PNG.
Spin up the challenge instance and browse the provided gallery URL.
View the page source (or curl it) to list every country entry and locate the suspicious one.
Download the referenced PNG so you can run a local stego decoder.
curl http://standard-pizzas.picoctf.net:56409/ > index.html
wget http://standard-pizzas.picoctf.net:56409/flags/upz.png
Solution
- Step 1Spot the rogue flagScrolling through the gallery reveals “Upanzi, Republic The,” which links to `flags/upz.png` instead of a legitimate flag. Upanzi is a CyLab Africa reference and clearly the embedded clue.
- Step 2Install StepicThe writeup used Python’s Stepic package to decode the LSB payload. Create a virtual environment (optional) and install Stepic via pip or your package manager.python3 -m venv venv && source venv/bin/activatepip install stepic
- Step 3Decode the PNGFeed the Upanzi PNG to Stepic with the `-d` flag. The program pulls the embedded ASCII string from the least-significant bits and prints the picoCTF flag.stepic -i upz.png -d
Flag
picoCTF{fl4g_h45_fl4ga66...}
Any other LSB steganography decoder (zsteg, StegSolve, etc.) works too; the payload is short plaintext.