Flag in Flame

Description

Solution

1. Step 1Locate the base64 block
   Open the file and find the large base64-encoded block. It may be labeled or appear as a long string of alphanumeric characters with + and / characters. Extract it to a separate file.

   grep -o '[A-Za-z0-9+/=]\{100,\}' encoded_data.txt > b64_block.txt

   Copied!
   Learn more

   Base64 is an encoding scheme that converts arbitrary binary data into a printable ASCII string using only 64 safe characters: A-Z, a-z, 0-9, +, and /, with = used for padding. It is not encryption - it is purely a representation change that makes binary data safe to embed in text-based formats (JSON, XML, email, HTTP headers, log files).

   Base64 is immediately recognizable by its character set and the length formula: every 3 bytes of binary data become exactly 4 base64 characters. Image data produces very long strings of these characters - a typical 50KB image becomes roughly 67KB of base64 text. The regex [A-Za-z0-9+/=]\{100,\} matches any run of 100 or more valid base64 characters, which filters out short tokens and isolated words while capturing the full encoded payload.

   Embedding binary data as base64 in log files is common in real-world applications: HTTP request/response logging may include base64-encoded payloads, and malware analysts often encounter base64-encoded shellcode or executables hidden inside log entries or configuration files. Recognizing the pattern and knowing how to extract it is a key forensics skill.

2. Step 2Decode to an image
   Decode the base64 block to binary. The result is a PNG or JPEG image file.

   base64 -d b64_block.txt > flag_image.png

   Copied!

   file flag_image.png

   Copied!
   Learn more

   base64 -d reads base64-encoded text from stdin or a file and outputs the original binary data. The -d (decode) flag reverses the encoding. The output is piped directly into a file with the expected extension, but always run file afterward to confirm the type - the base64 content determines the actual format, not the extension you give it.

   If the base64 block contains whitespace or newlines (common when it was copy-pasted or stored across multiple log lines), you may need to strip them first: tr -d '\n ' < b64_block.txt | base64 -d > flag_image.png. The GNU base64 tool is tolerant of newlines, but some implementations require clean input.

   Running file after decoding validates your work - if it reports a recognized image format, the extraction succeeded. If it says "data" or "ASCII text," the block may have been trimmed, incorrectly extracted, or encoded with a variant alphabet (such as URL-safe base64 that uses - and _ instead of + and /).

3. Step 3Open the image
   Open the decoded image in any image viewer. The flag is rendered as small text inside the image - zoom in to read it clearly.

   eog flag_image.png

   Copied!
   Learn more

   Flags embedded visually inside image files are a common technique in CTF forensics challenges. Unlike steganography (which hides data invisibly), this approach simply renders the flag as text or a graphic within the image - it requires decoding the image file correctly before it becomes visible. Zooming in is often necessary because the text can be small or placed in a corner.

   If the image is difficult to read due to color contrast or size, image processing tools can help. convert from ImageMagick can resize, adjust contrast, or convert color channels: convert flag_image.png -resize 400% -threshold 50% zoomed.png. For very small text, running the image through an OCR tool like tesseract may recover the flag automatically.

Flag

picoCTF{...}

Base64 encoding is commonly used to embed binary data (images, files) inside text formats like logs or JSON - always check large base64 blobs in text files for hidden payloads.