picoCTF Solutions
picoCTF 2025ForensicsEasy

RED

Published: April 2, 2025Updated: December 9, 2025

Description

A bright red PNG hides an obvious poem plus a suspicious Base64 blob in the LSB plane. Run an LSB scanner, grab the repeating string, and decode it to recover the flag.

Setup

Download red.png

Install zsteg (Ruby + `gem install zsteg`) so you can scan the RGBA bit planes quickly.

Run zsteg on the PNG and note the `b1,rgba,lsb,xy` entry that dumps the long Base64 string.

sudo apt install ruby ruby-dev
sudo gem install zsteg
zsteg red.png

Solution

  1. Step 1Extract the Base64 payload
    The zsteg output contains the entire flag repeated multiple times: `cGljb0NUR...` Copy one occurrence of that Base64 string.
  2. Step 2Decode to text
    Use CyberChef’s From Base64 recipe or Linux’s `base64 -d` tool to decode the string into ASCII. The plaintext is already formatted as a picoCTF flag.
    echo "cGljb0NURntyM2RfMXNfdGgzX3VsdDFtNHQzX2N1cjNfZjByXzU0ZG4zNTVffQ==" | base64 -d

Flag

picoCTF{r3d_1s_th3_ult1m4t3_cur3_f0r_54dn...}

Any LSB tool works; zsteg just makes it a one-command extraction.