Skip to main content
R4shSec
R4shSec

picoCTF WriteUp | Hidden In Plainsight

·1 min· loading · loading ·
PicoCTF CTF Easy Forensics PicoMini by CMU-Africa
R4shSec
Author
R4shSec
I like it when things work how they’re not supposed to.
Table of Contents

Introduction
#

Hey everyone 👋 — In this Capture The Flag (CTF), we are given a task to find the hidden payload in a file and extract the flag.

Hidden In Plainsight

Image
#

Downloading the file, we can see that it appears to be normal.

Image

If you’re on Linux, you can run sudo apt install exiftool or use an online EXIF viewer to check the metadata.

EXIF Data

It gives a comment which looks like a base64 string.

c3RlZ2hpZGU6Y0VGNmVuZHZjbVE9

Using an online Base64 decoder, it returns a string with the name of steghide and another base64 string.

Image 1
steghide:cEF6endvcmQ=

Decoding the content, cEF6endvcmQ=, returns the string, pAzzword.

Image 2

Steghide
#

The string in the comment, steghide, is actually a tool used to hide text in images. You can learn more about it here. I’m using Linux so I’ll run the command to install it which is:

sudo apt install steghide

We can then use it to extract the text using:

steghide extract -sf img.jpg

You can enter the flag previous string which is pAzzword.

Extract

Flag 🚩
#

Terminal 2
picoCTF{h1dd3n_1n_1m4g3_67479645}