Description
A bright red PNG hides an obvious poem plus a suspicious Base64 blob in the LSB plane. Run an LSB scanner, grab the repeating string, and decode it to recover the flag.
Setup
Install zsteg (Ruby + `gem install zsteg`) so you can scan the RGBA bit planes quickly.
Run zsteg on the PNG and note the `b1,rgba,lsb,xy` entry that dumps the long Base64 string.
sudo apt install ruby ruby-devsudo gem install zstegzsteg red.pngSolution
- Step 1Extract the Base64 payloadThe zsteg output contains the entire flag repeated multiple times: `cGljb0NUR...` Copy one occurrence of that Base64 string.
Learn more
LSB (Least Significant Bit) steganography hides data in the lowest-order bit of each color channel in an image. A pixel's RGB values each contribute one bit of hidden data, so a 1-megapixel image can hide approximately 375 kilobytes of payload while remaining visually indistinguishable from the original - the color difference caused by flipping a single bit is below human perception threshold.
zsteg is a Ruby tool that systematically tests all combinations of bit planes (bits 1 through 8 of each channel), channel combinations (R, G, B, A and their combinations), and byte orderings (LSB-first vs. MSB-first, row-by-row vs. column-by-column). When it finds a coherent result - printable text, known file headers, or recognized encoding patterns - it labels the entry and prints the data. The
b1,rgba,lsb,xynotation means: bit plane 1 (LSB) of RGBA channels, in least-significant-bit order, scanning left-to-right then top-to-bottom.Other steganography detection tools serve different purposes: steghide handles password-protected JPEG/BMP embedding, stegsolve provides a GUI for visualizing individual bit planes, and binwalk detects appended files or embedded archives. The choice of tool depends on the file format and embedding technique suspected.
- Step 2Decode to textUse CyberChef's From Base64 recipe or Linux's `base64 -d` tool to decode the string into ASCII. The plaintext is already formatted as a picoCTF flag.
echo "cGljb0NURntyM2RfMXNfdGgzX3VsdDFtNHQzX2N1cjNfZjByXzU0ZG4zNTVffQ==" | base64 -dLearn more
Finding the same Base64-encoded flag repeated multiple times in the LSB data reveals that the challenge author embedded enough copies to ensure retrieval even if some LSB bits are corrupted by image processing (like JPEG re-encoding). PNG is lossless, so corruption is not an issue here, but the repetition also makes the payload easy to spot - any LSB scanner that finds a long run of the same pattern flags it immediately.
The
base64 -dcommand (orbase64 --decode) reads Base64 input and writes raw bytes. Theechoapproach works for single-line strings, but for multi-line or padded input, piping from a file is more reliable:base64 -d < encoded.txt. CyberChef's "Magic" operation can auto-detect encoding schemes and chain decoders, which is useful when the exact encoding isn't immediately obvious.From a defensive perspective, LSB steganography is used in the real world for both legitimate purposes (digital watermarking of media to prove ownership or detect leaks) and malicious purposes (hiding malware configuration, command-and-control instructions, or exfiltrated data in innocuous-looking images). Network DLP solutions struggle to detect LSB steganography because the images appear valid and the hidden data has no file signature to match.
Flag
picoCTF{r3d_1s_th3_ult1m4t3_cur3_f0r_54dn...}
Any LSB tool works; zsteg just makes it a one-command extraction.