pico ctf

admin
13 Feb, 2026







Riddle Registry (picoCTF Forensics Challenge)

The challenge involves finding a hidden flag within a PDF file named confidential.pdf. The file appears to contain only garbled text (like Lorem Ipsum) and blank spaces, indicating the flag is not visible in the main content. 

Key Steps to Solve:

  • Inspect File Metadata: Use exiftool to extract metadata from the PDF:

    exiftool confidential.pdf

    This reveals the Author field contains a Base64-encoded string:
    cGljb0NURntwdXp6bDNkX20zdGFkYXRhX2YwdW5kIV9jMjA3MzY2OX0=

  • Decode the Base64 String: Use a decoder to reveal the flag:

  • echo "cGljb0NURntwdXp6bDNkX20zdGFkYXRhX2YwdW5kIV9jMjA3MzY2OX0=" | base64 -d   

  • ResultpicoCTF{puzzl3d_m3tadata_f0und!_c2073669}

Why This Works:

  • PDFs store metadata (author, title, producer, etc.) that can hide secrets.

  • The Author field value ends with =, a common indicator of Base64 encoding.

  • This challenge emphasizes checking metadata first—often overlooked but highly effective in CTFs. 

✅ FlagpicoCTF{puzzl3d_m3tadata_f0und!_c2073669}
🛠 Tools used: exiftoolbase64stringsfile
🔍 Tip: Always check metadata before diving into complex steganography.





Hidden in Plain Sight — picoCTF Challenge

The "Hidden in Plain Sight" challenge from picoCTF is a beginner-level digital forensics and steganography task.  You're given a seemingly normal JPG image, with the hint: "something is tucked away out of sight." The goal is to uncover a hidden payload — the flag. 

Solution Steps

  1. Download the Image
    Use wget or curl to download the provided JPG file from the challenge link. 

  2. Inspect Metadata
    Use exiftool to examine the image’s metadata:

    exiftool img.jpg

    A suspicious Comment field is found:

    c3RlZ2hpZGU6Y0VGNmVuZHZjbVE9

  3. Decode the Base64 String
    The comment is Base64-encoded. Decode it:

    echo "c3RlZ2hpZGU6Y0VGNmVuZHZjbVE9" | base64 --decode

    Output:

    steghide:cEF6endvcmQ=

    This indicates the use of steghide with another Base64-encoded passphrase. 

  4. Decode the Passphrase
    Decode the second part:

    echo "cEF6endvcmQ=" | base64 --decode

    Output:

    pAzzword

  5. Extract Hidden Data with Steghide
    Use the passphrase to extract the embedded file:

    steghide extract -sf img.jpg -p "pAzzword"

    This extracts a file named flag.txt

  6. Read the Flag

    cat flag.txt

    Output (example):

    picoCTF{h1dd3n_1n_1m4g3_e7f5b969}

Key Tools Used

  • exiftool: For metadata inspection

  • base64: For decoding

  • steghide: For extracting hidden data in images 

The challenge demonstrates how secrets can be hidden in plain sight using metadata and steganography — a common theme in cybersecurity CTFs. 


Flag in Flame — picoCTF Pico Gym Challenge

Overview

  • Category: Forensics

  • Difficulty: Easy

  • Challenge Filelogs.txt

The SOC team found a suspiciously large log file after a breach. Instead of normal logs, it contains a massive block of encoded text. Your task is to uncover the hidden flag by analyzing the file. 

Step-by-Step Solution

1. Download and Inspect the File

Use wget or download the file directly:

wget https://challenge-files.picoctf.net/c_saffron_estate/<filename>/logs.txt

Inspect the contents:

cat logs.txt

You’ll see a long Base64-encoded string — not a typical log. This is your first clue. 

2. Decode Base64 to Binary

The file is Base64-encoded binary data. Decode it:

base64 -d logs.txt > output.bin

3. Identify the File Type

Use the file command to determine what kind of data was decoded:

file output.bin

Output:

output.bin: PNG image data, ...

The file is actually a PNG image disguised as a log. 

4. View the Image

Rename and open the file:

mv output.bin flag.png
xdg-open flag.png

The image shows a hacker-themed illustration with a hex string at the bottom:

7069636f4354467b666f72656e736963735f616e616c797369735f69735f616d617a696e675f...

5. Decode Hex to ASCII

Convert the hex string to readable text:

echo "7069636f4354467b666f72656e736963735f616e616c797369735f69735f616d617a696e675f..." | xxd -r -p

Output:

picoCTF{forensics_analysis_is_amazing_...}

Tools Used

  • base64 -d: Decode Base64 data

  • file: Identify file type

  • xxd -r -p: Convert hex to ASCII

  • Image viewer (xdg-openopen, etc.) 

Flag

picoCTF{forensics_analysis_is_amazing_...}

(Note: The exact flag suffix may vary slightly depending on the instance.) 

This challenge teaches that data can be hidden in plain sight using simple encoding — always verify file types and look beyond surface appearances.


Corrupted File — picoCTF Pico Gym Challenge

Overview

  • Category: Forensics

  • Difficulty: Easy

  • Challenge Filefile (or mystery

This challenge presents a corrupted file that cannot be opened normally. The goal is to repair the file header and recover the embedded flag. 

Step-by-Step Solution

1. Download and Analyze the File

Use wget to download:

wget https://download.picoctf.org/path/to/file

Inspect with:

file file

Output: data — indicating an unrecognized format. 

2. Inspect File Signature (Magic Bytes)

Use hexdump or xxd:

xxd file | head -n 1

You’ll see:

00000000: 8965 4e34 0d0a b0aa 0000 000d 4322 4452  .eN4........C"DR

PNG files should start with:

89 50 4E 47 0D 0A 1A 0A

The file is a corrupted PNG

3. Fix the Magic Bytes

Create a copy and patch the header:

cp file fixed.png
printf '\x89\x50\x4E\x47\x0D\x0A\x1A\x0A' | dd of=fixed.png bs=1 seek=0 count=8 conv=notrunc

4. Verify the Fix

file fixed.png

Output:

PNG image data, 1642 x 1095, 8-bit/color RGB, non-interlaced

5. Open the Image

xdg-open fixed.png

The image displays the flag

Tools Used

  • file: Identify file type

  • xxd / hexdump: View hex data

  • dd: Modify binary files

  • printf: Inject raw bytes 

Flag

picoCTF{c0rrupt10n_1847995}

This challenge teaches how file headers define format recognition and how to repair them using hex editing.


DISKO 1 — picoCTF Pico Gym Challenge

Overview

  • Category: Forensics

  • Difficulty: Easy

  • Challenge Filedisko-1.dd.gz

You're given a compressed disk image and asked: Can you find the flag in this disk image? 

Step-by-Step Solution

1. Decompress the File

The file is gzipped. Decompress it:

gunzip disko-1.dd.gz

This gives you the raw disk image: disko-1.dd

2. Inspect File Type

Use the file command:

file disko-1.dd

Output:

DOS/MBR boot sector, FAT32

Confirms it's a disk image with a FAT32 filesystem. 

3. Search for the Flag

Use strings to extract readable text and grep to find the flag:

strings disko-1.dd | grep -i pico

Among the output, you’ll find:

picoCTF{1t5_ju5t_4_5tr1n9_be6031da}

Tools Used

  • gunzip: Decompress .gz file

  • file: Identify file type

  • strings: Extract printable strings

  • grep: Search for pattern 

Flag

picoCTF{1t5_ju5t_4_5tr1n9_be6031da}

This challenge teaches that flags can be hidden in plain text within disk images — always try strings early in forensics tasks.


Previous Post
No Comment
Add Comment
comment url