Skip to content

Scan Surprise (picoCTF)

Case: Scan Surprise โ€“ picoCTF\ Author: Jeffery John\ Date: August 23, 2025\ Investigator: Abdelwahab Shandy

1) Identification

Description:\ In CTF challenges, flags are usually delivered as plain text. However, in this challenge the flag was embedded inside an image (PNG).

Indicators of Compromise (IOCs):

  • File: flag.png (350 bytes).

  • File type: PNG โ€“ dimensions 99x99 โ€“ colormap 1-bit.

  • Media: Available via challenge.zip and also through SSH.

  • SSH server fingerprint:

bash atlas.picoctf.net:52728 Fingerprint: SHA256:QF0l+8x0mwmM2QvewTSPdDEvkELbQihq9zN4rUKog8k

Technical Goal:\ Determine whether the image contains a hidden flag (QR code) or encrypted data.

2) Acquisition

Actions:

  • Downloaded the challenge archive:

```bash wget https://artifacts.picoctf.net/c_atlas/13/challenge.zip

unzip challenge.zip ```

  • Extracted files revealed the path:

bash home/ctf-player/drop-in/flag.png

  • The file size (350 bytes) was suspiciously small, suggesting it was not a regular image but likely a QR code.

Rationale:\ Obtaining a local copy of the evidence (flag.png) avoids reliance on the server and allows repeated offline analysis.

3) Preservation

Preservation Measures:

  • Used file, stat, and exiftool commands to inspect metadata without modifying the file.

  • No changes were made to file permissions or content of flag.png.

  • Created a secondary copy (ScanSurprise.png) for working analysis.

Rationale:\ Ensuring the integrity of the digital evidence while enabling safe testing on a duplicate.

4) Analysis

Tools Used:

  • Exif / Exiftool: No hidden metadata found (no EXIF).

  • file: Confirmed PNG format (99x99, 1-bit).

  • zbarimg: Used to scan for QR codes.

Verification via SSH:

ssh -p 52728 ctf-player@atlas.picoctf.net

zbarimg flag.png

Output:

QR-Code:picoCTF{p33k_@_b00_d4ca652e}

Verification Locally (after installing zbar-tools):

sudo apt install zbar-tools

zbarimg flag.png

Output:

QR-Code:picoCTF{p33k_@_b00_d4ca652e}

Analysis:

  • The flag was hidden inside a QR code, not in text, metadata, or steganography.

  • Only zbarimg was able to accurately extract the content.

  • Attempts using exif or manual inspection did not reveal the flag because it required a QR scan.

5) Reporting

Final Result:

  • Extracted flag:

bash picoCTF{p33k_@_b00_d4ca652e}

  • flag.png contained a hidden QR code image (99x99).

  • Results were verified both locally and on the challenge server.

Lessons Learned:

  • Verify formats: Small image size and dimensions can indicate QR/barcode.

  • Use the right tool: EXIF tools failed, but zbarimg succeeded immediately.

  • Preserve first: Creating a duplicate (ScanSurprise.png) protected the original evidence.

  • Cross-validation: Testing locally and remotely confirmed consistent results.

Appendix A โ€“ Key Commands

wget https://artifacts.picoctf.net/c_atlas/13/challenge.zip

unzip challenge.zip

file flag.png

exiftool flag.png

zbarimg flag.png

Appendix B โ€“ Extracted Flag

picoCTF{p33k_@_b00_d4ca652e}

๐Ÿ’ฌ "Control the code, and you control the world." ๐Ÿ” From wiping metadata to gaining root access โ€” every step is documented and my goal is to deeply understand the system, not just hack!

Abdelwahab Shandy

Linkedin

GitHub

See You Soon

AS Cyber โ€œ)).