picoCTF - Forensics - St3g0

Pascal Peinecke published in forensics picoctf

2022-04-06 235 words 2 minutes

Contents

Forensics - St3g0 - writeup

description

Download this featuredImage and find the flag.

Download featuredImage

writeup

Ok so let’s download the file first …

1
wget https://artifacts.picoctf.net/c/427/pico.flag.png

Let’s check the file type just to make sure we actually have a .png file here …

1
2
3
file pico.flag.png

pico.flag.png: PNG featuredImage data, 585 x 172, 8-bit/color RGBA, non-interlaced

Ok so it is in fact a PNG file.

Let’s check for any steganography using stegdetect

1
2
stegdetect ./pico.flag.png 
./pico.flag.png : error: Not a JPEG file: starts with 0x89 0x50

we get an error from stegdetect since steganography usually is only possible using JPEG files.

If I take a look at the hex bytes I can see the .PNG magic bytes of

1
2
3
4
hexdump -C -n 8 ./pico.flag.png

00000000  89 50 4e 47 0d 0a 1a 0a    |.PNG....|
00000008

So it is really a png file.

Looking at the hex dump I cannot seem to find anything remotely interesting …

Using the strings command I also did not find anything …

Using stegsolve also did not lead to anything …

After checking with zsteg for any hidden strings I found the flag!

1
2
3
4
zsteg -a -v pico.flag.png | grep picoCTF

b1,rgb,lsb,xy       .. text: "picoCTF{7h3r3_15_n0_5p00n_4706df81}$t3g0"
    00000000: 70 69 63 6f 43 54 46 7b  37 68 33 72 33 5f 31 35  |picoCTF{7h3r3_15|

So this is the flag:

1
picoCTF{7h3r3_15_n0_5p00n_4706df81}