Description
A log file contains a base64-encoded image. Decode the image to find the flag.
Setup
Download the encoded file from the challenge page.
Solution
Want to try it yourself first?
The guided walkthrough reveals hints one step at a time.
Step 1
Locate the base64 blockObservationI noticed the challenge description mentioned a base64-encoded image hidden inside a log file, which suggested the first step was to isolate the encoded payload from the surrounding log noise before any decoding could happen.Open the file and find the large base64-encoded block. It may be labeled or appear as a long string of alphanumeric characters with + and / characters. Extract it to a separate file.bashgrep -o '[A-Za-z0-9+/=]\{100,\}' encoded_data.txt > b64_block.txtExpected output
flag_image.png: PNG image data, 800 x 600, 8-bit/color RGB, non-interlaced
What didn't work first
Tried: Use strings on the log file to find the flag directly without extracting the base64 block first.
strings will print every printable sequence in the file, including fragments of the base64 blob split across many lines, but the flag is encoded inside binary image data - not stored as a plaintext string. The flag only becomes readable after the base64 is decoded back to an image, so strings produces no flag-shaped output.
Tried: Use grep with a shorter minimum length like 20 characters instead of 100 to capture the base64 block.
A 20-character minimum matches dozens of short tokens, field names, and log timestamps that happen to use alphanumeric characters, producing a multi-line output that cannot be decoded as a single valid base64 blob. The 100-character threshold ensures only the full encoded payload is selected, which is orders of magnitude longer than any normal log field.
Learn more
Base64 is an encoding scheme that converts arbitrary binary data into a printable ASCII string using only 64 safe characters: A-Z, a-z, 0-9,
+, and/, with=used for padding. It is not encryption - it is purely a representation change that makes binary data safe to embed in text-based formats (JSON, XML, email, HTTP headers, log files).Base64 is immediately recognizable by its character set and the length formula: every 3 bytes of binary data become exactly 4 base64 characters. Image data produces very long strings of these characters - a typical 50KB image becomes roughly 67KB of base64 text. The regex
[A-Za-z0-9+/=]\{100,\}matches any run of 100 or more valid base64 characters, which filters out short tokens and isolated words while capturing the full encoded payload.Embedding binary data as base64 in log files is common in real-world applications: HTTP request/response logging may include base64-encoded payloads, and malware analysts often encounter base64-encoded shellcode or executables hidden inside log entries or configuration files. Recognizing the pattern and knowing how to extract it is a key forensics skill.
Step 2
Decode to an imageObservationI noticed the extracted block consisted entirely of valid base64 characters including '+', '/', and '=' padding, which confirmed it was a complete encoded binary payload and suggested running base64 -d to recover the original image file.Decode the base64 block to binary. The result is a PNG or JPEG image file.bashbase64 -d b64_block.txt > flag_image.pngbashfile flag_image.pngWhat didn't work first
Tried: Run base64 -d directly on the original log file instead of the extracted block.
The full log file contains non-base64 characters (spaces, colons, brackets, timestamps) between and around the encoded payload. base64 -d will either error out on the first invalid character or silently produce garbled binary output that does not match any valid image format. The extraction step is necessary to isolate the clean base64 string before decoding.
Tried: Use openssl enc -d -base64 instead of base64 -d to decode the block.
openssl enc -d -base64 is stricter about whitespace and padding than GNU base64 - if the extracted block has any trailing newline issues or the length is not a multiple of 4, openssl will fail with a 'bad decrypt' or 'error reading input file' message. GNU base64 -d handles these edge cases more gracefully and is the standard tool for this task.
Learn more
base64 -dreads base64-encoded text from stdin or a file and outputs the original binary data. The-d(decode) flag reverses the encoding. The output is piped directly into a file with the expected extension, but always runfileafterward to confirm the type - the base64 content determines the actual format, not the extension you give it.If the base64 block contains whitespace or newlines (common when it was copy-pasted or stored across multiple log lines), you may need to strip them first:
tr -d '\n ' < b64_block.txt | base64 -d > flag_image.png. The GNUbase64tool is tolerant of newlines, but some implementations require clean input.Running
fileafter decoding validates your work - if it reports a recognized image format, the extraction succeeded. If it says "data" or "ASCII text," the block may have been trimmed, incorrectly extracted, or encoded with a variant alphabet (such as URL-safe base64 that uses-and_instead of+and/).Step 3
Open the imageObservationI noticed the file command confirmed the decoded output was a valid PNG image, which indicated the flag was rendered visually inside the image and required opening it in an image viewer to read it.Open the decoded image in any image viewer. The flag is rendered as small text inside the image - zoom in to read it clearly.basheog flag_image.pngLearn more
Flags embedded visually inside image files are a common technique in CTF forensics challenges. Unlike steganography (which hides data invisibly), this approach simply renders the flag as text or a graphic within the image - it requires decoding the image file correctly before it becomes visible. Zooming in is often necessary because the text can be small or placed in a corner.
If the image is difficult to read due to color contrast or size, image processing tools can help.
convertfrom ImageMagick can resize, adjust contrast, or convert color channels:convert flag_image.png -resize 400% -threshold 50% zoomed.png. For very small text, running the image through an OCR tool liketesseractmay recover the flag automatically.
Interactive tools
- StegallDrop any file and Stegall runs every applicable steg technique in parallel: LSB sweeps, bit planes, spectrograms, polyglot carving, metadata, whitespace decode, and a 6-layer base/ROT/XOR/zlib cascade. Recursively unpacks results and surfaces flag matches.
- Hex ViewerView text or raw hex bytes as a xxd-style hex dump with byte offset, hex columns, and ASCII sidebar. Highlights printable characters and null bytes.
- Strings ExtractorPull printable text from any binary, library, or image. ASCII and UTF-16 detection, configurable minimum length, flag-like highlight, no command line needed.
Flag
Reveal flag
picoCTF{forensics_analysis_is_amazing_...}
Fixed flag, confirmed consistent across multiple independent verified solutions.