picoCTF Forensics Guide

here's how to solve information

Back to the Forensics Guides

information

Name: information
Description: Files can always be changed in a secret way. Can you find the flag? cat.jpg
Author: susie
Tags: Easy, Forensics, picoCTF 2021
Challenge from: picoCTF 2021
Files: cat.jpg
Hints:
1. Look at the details of the file
2. Make sure to submit the flag as picoCTF{XXXXX}

Theory

According to the description, I'm not entirely sure about this, but this might be another challenge about getting metadata from images, so yeah, again this is a steganography challenge, we'll use stuff like exiftool or zsteg, but we'll see that after downloading the image, yay.

Solution

First, let's download the image:

shukularuni-picoctf@webshell:~$ wget https://mercury.picoctf.net/static/7cf6a33f90deeeac5c73407a1bdc99b6/cat.jpg
--2025-04-26 16:52:21--  https://mercury.picoctf.net/static/7cf6a33f90deeeac5c73407a1bdc99b6/cat.jpg
Resolving mercury.picoctf.net (mercury.picoctf.net)... 18.189.209.142
Connecting to mercury.picoctf.net (mercury.picoctf.net)|18.189.209.142|:443... connected.
HTTP request sent, awaiting response... 200 OK
Length: 878136 (858K) [application/octet-stream]
Saving to: 'cat.jpg'

cat.jpg                                                             100%[=================================================================================================================================================================>] 857.55K  1.86MB/s    in 0.5s    

2025-04-26 16:52:21 (1.86 MB/s) - 'cat.jpg' saved [878136/878136]

shukularuni-picoctf@webshell:~$ ls 
cat.jpg

Now let's see the metadata with exiftools if it's here somewhere:

shukularuni-picoctf@webshell:~$ exiftool cat.jpg 
ExifTool Version Number         : 12.40
File Name                       : cat.jpg
Directory                       : .
File Size                       : 858 KiB
File Modification Date/Time     : 2021:03:15 18:24:46+00:00
File Access Date/Time           : 2025:04:26 16:52:21+00:00
File Inode Change Date/Time     : 2025:04:26 16:52:21+00:00
File Permissions                : -rw-rw-r--
File Type                       : JPEG
File Type Extension             : jpg
MIME Type                       : image/jpeg
JFIF Version                    : 1.02
Resolution Unit                 : None
X Resolution                    : 1
Y Resolution                    : 1
Current IPTC Digest             : 7a78f3d9cfb1ce42ab5a3aa30573d617
Copyright Notice                : PicoCTF
Application Record Version      : 4
XMP Toolkit                     : Image::ExifTool 10.80
License                         : cGljb0NURnt0aGVfbTN0YWRhdGFfMXNfbW9kaWZpZWR9
Rights                          : PicoCTF
Image Width                     : 2560
Image Height                    : 1598
Encoding Process                : Baseline DCT, Huffman coding
Bits Per Sample                 : 8
Color Components                : 3
Y Cb Cr Sub Sampling            : YCbCr4:2:0 (2 2)
Image Size                      : 2560x1598
Megapixels                      : 4.1

Yup, there it is! Base64 as usual, so let's just decode it with the Base64 decoder I always use:

BASE64 DECODE (Base64Decode.com)

INPUT: cGljb0NURnt0aGVfbTN0YWRhdGFfMXNfbW9kaWZpZWR9

OUTPUT: picoCTF{the_m3tadata_1s_modified}

There we go! That's the flag.

I rated this level as "not good"! :(

https://play.picoctf.org/practice/challenge/408

Explore My Website