Skip to content

Red (picoCTF)

Digital Forensics Report– picoCTF Challenge β€œRED”

Author: Shuailin Pan (LeConjuror)

Investigator: Abdelwahab Shandy

Date: August 23, 2025

  1. Identification

  2. Suspicious file: red.png

  3. Initial description: A plain red image.

  4. Hints:

  5. "The picture seems pure, but is it true?" β†’ The image isn't just red.

  6. "Red? Ged? Bed? Aed?" β†’ Indicates possible alteration or encryption.

  7. "Check whatever Facebook is called now" β†’ Possibly refers to hidden data such as metadata.

Conclusion: The file likely contains steganography (data hidden within the image).

  1. Acquisition

The file was downloaded from the official challenge server:

wget https://challenge-files.picoctf.net/c_verbal_sleep/831307718b34193b288dde31e557484876fb84978b5818e2627e453a54aa9ba6/red.png

File integrity check:

sha256sum red.png

  1. Preservation

  2. A duplicate copy named RED.png was created to protect the original.

  3. All analysis was performed on the copy.

  1. Analysis Steps:

Select the file type:

file RED.png

β†’ Its type is a regular PNG image.

Metadata check:

exiftool RED.png

β†’ No important data appeared, except for a very strange poem.

Using binwalk to extract hidden data:

binwalk -e RED.png

A file named 11C was extracted.

This file was compressed using zlib.

zlib-flate -uncompress < 11C.zlib > output.txt

β†’ It produced an output.txt file but it wasn't clear or useful.

Trying to display the data as a RAW image:

display -size 128x128 -depth 8 rgb:output.txt

β†’ Nothing clear appears

Using the zsteg tool:

Explanation of the zsteg tool:

  • zsteg is a specialized tool for analyzing PNG and BMP images to detect steganography.

  • The idea: Images store color data (RGB or RGBA). Each color consists of several bits.

  • Sometimes the least significant bit (LSB) is exploited to hide text or binary data without the human eye being affected.

  • zsteg examines these layers or bits across all channels (R, G, B, Alpha) and detects whether there is hidden text or files.

Execute the commands:

 zsteg -a RED.png

The important result was:

b1,rgba,lsb,xy .. text: "cGljb0NURntyM2RfMXNfdGgzX3VsdDFtNHQzX2N1cjNfZjByXzU0ZG4zNTVffQ=="

This is the Base64 encoded text.

Base64 decoding:

echo "cGljb0NURntyM2RfMXNfdGgzX3VsdDFtNHQzX2N1cjNfZjByXzU0ZG4zNTVffQ==" | base64 -d

Result:

picoCTF{r3d_1s_th3_ult1m4t3_cur3_f0r_54dn355_}

  1. Reporting - Report

Results:

  • The red.png file contained hidden data using Steganography in the least significant bit (LSB) on the RGBA channels.

  • The hidden text was detected using the zsteg tool.

  • The text was Base64 encoded and decoded to obtain the flag.

Final flag:

picoCTF{r3d_1s_th3_ult1m4t3_cur3_f0r_54dn355_}

πŸ’¬ "Control the code, and you control the world." πŸ” From wiping metadata to gaining root access β€” every step is documented and my goal is to deeply understand the system, not just hack!

Abdelwahab Shandy

Linkedin

GitHub

See You Soon

AS Cyber β€œ)).