picoCTF Forensics Guide

here's how to solve Scan Surprise

Back to the Forensics Guides

Scan Surprise

Name: Scan Surprise
Description: I've gotten bored of handing out flags as text. Wouldn't it be cool if they were an image instead? You can download the challenge files here: challenge.zip The same files are accessible via SSH here: ssh -p 54295 ctf-player@atlas.picoctf.net Using the password 83dcefb7. Accept the fingerprint with yes, and ls once connected to begin. Remember, in a shell, passwords are hidden!
Author: Jeffery John
Tags: Easy, Forensics, picoCTF 2024, shell, browser_webshell_solvable, qr_code
Challenge from: picoCTF 2024
Files: challenge.zip
Hints:
1. QR codes are a way of encoding data. While they're most known for storing URLs, they can store other things too.
2. Mobile phones have included native QR code scanners in their cameras since version 8 (Oreo) and iOS 11
3. If you don't have access to a phone, you can also use zbar-tools to convert an image to text

Theory

According to the description, to get the flag we have to scan the QR code given to us in that zip file or something, so let's see what all that is about.

Solution

Let's download the zip and get the imate:

shukularuni-picoctf@webshell:~$ wget https://artifacts.picoctf.net/c_atlas/1/challenge.zip
--2025-04-19 16:25:52--  https://artifacts.picoctf.net/c_atlas/1/challenge.zip
Resolving artifacts.picoctf.net (artifacts.picoctf.net)... 3.160.22.128, 3.160.22.92, 3.160.22.43, ...
Connecting to artifacts.picoctf.net (artifacts.picoctf.net)|3.160.22.128|:443... connected.
HTTP request sent, awaiting response... 200 OK
Length: 731 [application/octet-stream]
Saving to: 'challenge.zip'

challenge.zip                                                       100%[=================================================================================================================================================================>]     731  --.-KB/s    in 0s      

2025-04-19 16:25:52 (531 MB/s) - 'challenge.zip' saved [731/731]

shukularuni-picoctf@webshell:~$ unzip challenge.zip

shukularuni-picoctf@webshell:~$ ls
challenge.zip  home

shukularuni-picoctf@webshell:~$ cd home

shukularuni-picoctf@webshell:~$ ls
ctf-player

shukularuni-picoctf@webshell:~$ cd ctf-player

shukularuni-picoctf@webshell:~$ ls
drop-in

shukularuni-picoctf@webshell:~$ cd drop-in

shukularuni-picoctf@webshell:~$ ls
flag.png

Let's check what's in the qr code:

GET INFO FROM QR CODE

INPUT: flag.png

OUTPUT: picoCTF{p33k_@_b00_3f7cf1ae}

There we go! That's the flag.

I rated this level as "good"! :3

https://play.picoctf.org/practice/challenge/444

Explore My Website