Category: Forensics
Difficulty: Medium
https://play.picoctf.org/practice/challenge/350
Summary #
The challenge provided a file named flag.png. At first glance, it appeared to be a normal PNG image. However, deeper inspection revealed a hidden ZIP archive embedded within the file. Extracting and exploring this archive led to a secret folder containing another PNG file, which held the flag.
Steps to Solve #
1. File Analysis with strings
#
I began by running the strings command on flag.png to extract any printable ASCII characters. Among some irrelevant data, I noticed this string:
secret/flag.pngUT
This hinted at the possibility of additional data hidden within the PNG file, potentially organized in a directory structure.
2. Hex Analysis with ImHex #
I opened the file in a hex editor (ImHex) to inspect its binary content manually. However, I didn’t find anything immediately useful or indicative of the hidden data.
3. File Carving with binwalk
#
I used binwalk to analyze the file for embedded data or file signatures. The output revealed something interesting:
$ binwalk flag.png
DECIMAL HEXADECIMAL DESCRIPTION
--------------------------------------------------------------------------------
0 0x0 PNG image, total size: 39739 bytes
39739 0x9B3B ZIP archive, file count: 2, total size: 3319 bytes
This confirmed that the PNG file contained an embedded ZIP archive.
4. Extracting the Embedded ZIP #
I used the binwalk -e flag.png command to extract the contents of the ZIP archive. The extraction resulted in the following directory structure:
extractions/
└── flag.png.extracted
└── 9B3B
└── secret
└── flag.png
5. Recovering the Flag #
Inside the secret directory, I found a second PNG file named flag.png. Viewing this file revealed the flag:
picoCTF{...redacted...}