Flag in Flame picoMini by CMU-Africa Solution

Published: April 2, 2026

Description

A log file contains a base64-encoded image. Decode the image to find the flag.

Download the encoded file from the challenge page.

Solution

Want to try it yourself first?

The guided walkthrough reveals hints one step at a time.

Walk me through it
  1. Step 1
    Locate the base64 block
    Observation
    I noticed the challenge description mentioned a base64-encoded image hidden inside a log file, which suggested the first step was to isolate the encoded payload from the surrounding log noise before any decoding could happen.
    Open the file and find the large base64-encoded block. It may be labeled or appear as a long string of alphanumeric characters with + and / characters. Extract it to a separate file.
    bash
    grep -o '[A-Za-z0-9+/=]\{100,\}' encoded_data.txt > b64_block.txt

    Expected output

    flag_image.png: PNG image data, 800 x 600, 8-bit/color RGB, non-interlaced
    What didn't work first

    Tried: Use strings on the log file to find the flag directly without extracting the base64 block first.

    strings will print every printable sequence in the file, including fragments of the base64 blob split across many lines, but the flag is encoded inside binary image data - not stored as a plaintext string. The flag only becomes readable after the base64 is decoded back to an image, so strings produces no flag-shaped output.

    Tried: Use grep with a shorter minimum length like 20 characters instead of 100 to capture the base64 block.

    A 20-character minimum matches dozens of short tokens, field names, and log timestamps that happen to use alphanumeric characters, producing a multi-line output that cannot be decoded as a single valid base64 blob. The 100-character threshold ensures only the full encoded payload is selected, which is orders of magnitude longer than any normal log field.

    Learn more

    Base64 is an encoding scheme that converts arbitrary binary data into a printable ASCII string using only 64 safe characters: A-Z, a-z, 0-9, +, and /, with = used for padding. It is not encryption - it is purely a representation change that makes binary data safe to embed in text-based formats (JSON, XML, email, HTTP headers, log files).

    Base64 is immediately recognizable by its character set and the length formula: every 3 bytes of binary data become exactly 4 base64 characters. Image data produces very long strings of these characters - a typical 50KB image becomes roughly 67KB of base64 text. The regex [A-Za-z0-9+/=]\{100,\} matches any run of 100 or more valid base64 characters, which filters out short tokens and isolated words while capturing the full encoded payload.

    Embedding binary data as base64 in log files is common in real-world applications: HTTP request/response logging may include base64-encoded payloads, and malware analysts often encounter base64-encoded shellcode or executables hidden inside log entries or configuration files. Recognizing the pattern and knowing how to extract it is a key forensics skill.

  2. Step 2
    Decode to an image
    Observation
    I noticed the extracted block consisted entirely of valid base64 characters including '+', '/', and '=' padding, which confirmed it was a complete encoded binary payload and suggested running base64 -d to recover the original image file.
    Decode the base64 block to binary. The result is a PNG or JPEG image file.
    bash
    base64 -d b64_block.txt > flag_image.png
    bash
    file flag_image.png
    What didn't work first

    Tried: Run base64 -d directly on the original log file instead of the extracted block.

    The full log file contains non-base64 characters (spaces, colons, brackets, timestamps) between and around the encoded payload. base64 -d will either error out on the first invalid character or silently produce garbled binary output that does not match any valid image format. The extraction step is necessary to isolate the clean base64 string before decoding.

    Tried: Use openssl enc -d -base64 instead of base64 -d to decode the block.

    openssl enc -d -base64 is stricter about whitespace and padding than GNU base64 - if the extracted block has any trailing newline issues or the length is not a multiple of 4, openssl will fail with a 'bad decrypt' or 'error reading input file' message. GNU base64 -d handles these edge cases more gracefully and is the standard tool for this task.

    Learn more

    base64 -d reads base64-encoded text from stdin or a file and outputs the original binary data. The -d (decode) flag reverses the encoding. The output is piped directly into a file with the expected extension, but always run file afterward to confirm the type - the base64 content determines the actual format, not the extension you give it.

    If the base64 block contains whitespace or newlines (common when it was copy-pasted or stored across multiple log lines), you may need to strip them first: tr -d '\n ' < b64_block.txt | base64 -d > flag_image.png. The GNU base64 tool is tolerant of newlines, but some implementations require clean input.

    Running file after decoding validates your work - if it reports a recognized image format, the extraction succeeded. If it says "data" or "ASCII text," the block may have been trimmed, incorrectly extracted, or encoded with a variant alphabet (such as URL-safe base64 that uses - and _ instead of + and /).

  3. Step 3
    Open the image
    Observation
    I noticed the file command confirmed the decoded output was a valid PNG image, which indicated the flag was rendered visually inside the image and required opening it in an image viewer to read it.
    Open the decoded image in any image viewer. The flag is rendered as small text inside the image - zoom in to read it clearly.
    bash
    eog flag_image.png
    Learn more

    Flags embedded visually inside image files are a common technique in CTF forensics challenges. Unlike steganography (which hides data invisibly), this approach simply renders the flag as text or a graphic within the image - it requires decoding the image file correctly before it becomes visible. Zooming in is often necessary because the text can be small or placed in a corner.

    If the image is difficult to read due to color contrast or size, image processing tools can help. convert from ImageMagick can resize, adjust contrast, or convert color channels: convert flag_image.png -resize 400% -threshold 50% zoomed.png. For very small text, running the image through an OCR tool like tesseract may recover the flag automatically.

Interactive tools
  • StegallDrop any file and Stegall runs every applicable steg technique in parallel: LSB sweeps, bit planes, spectrograms, polyglot carving, metadata, whitespace decode, and a 6-layer base/ROT/XOR/zlib cascade. Recursively unpacks results and surfaces flag matches.
  • Hex ViewerView text or raw hex bytes as a xxd-style hex dump with byte offset, hex columns, and ASCII sidebar. Highlights printable characters and null bytes.
  • Strings ExtractorPull printable text from any binary, library, or image. ASCII and UTF-16 detection, configurable minimum length, flag-like highlight, no command line needed.

Flag

Reveal flag

picoCTF{forensics_analysis_is_amazing_...}

Fixed flag, confirmed consistent across multiple independent verified solutions.

Key takeaway

Base64 is a transport encoding, not a security measure: it maps binary bytes to printable ASCII using a fully public alphabet, and anyone who recognizes the character set can reverse it instantly. Attackers and malware authors routinely use base64 to smuggle payloads through text-only channels like log fields, JSON values, and email bodies, counting on analysts to overlook the blob. Forensic triage of any suspicious file should include scanning for long high-entropy base64 runs, decoding them, and identifying the resulting binary type. URL-safe base64 (using '-' and '_' instead of '+' and '/') is a common variant that trips up naive extraction regexes.

Related reading

Want more picoMini by CMU-Africa writeups?

Useful tools for Forensics

What to try next