Description
How about some hide and seek?Download this file here.
🧩 Challenge Overview
In this challenge, we are given a .zip file.
After extracting it, we find a .jpg image — but nothing seems special about it when viewed normally.
That means the flag is likely hidden in the image’s metadata.
📦 Step 1: Unzip the file
We start by extracting the contents of the zip file using the unzip command:
$ unzip unknown.zip Archive: unknown.zip inflating: ukn_reality.jpg
✅ Explanation:
unzipis used to extract files from a.ziparchive.- The extracted file is named
ukn_reality.jpg.
🔍 Step 2: Analyze metadata with ExifTool
When there’s no visible information in an image, check the metadata using ExifTool:
$ exiftool ukn_reality.jpg ExifTool Version Number : 13.25 File Name : ukn_reality.jpg ... Attribution URL : cGljb0NURntNRTc0RDQ3QV9ISUREM05fYjMyMDQwYjh9Cg== ...
✅ Explanation:
exiftoolreads and displays metadata embedded inside files (especially images).- Metadata often includes hidden text, creation date, camera info, or even encoded messages.
- Here, we found something suspicious in the “Attribution URL” field —
a long encoded string:cGljb0NURntNRTc0RDQ3QV9ISUREM05fYjMyMDQwYjh9Cg==
🔡 Step 3: Identify the encoding
The string ends with = — a common padding indicator for Base64 encoding.
This means the data is likely encoded text that we can decode.
✅ Base64 explanation:
Base64 is a method for representing binary data as text using 64 printable characters.
It’s often used to hide or safely transmit text within files.
🐍 Step 4: Decode Base64 with Python
Let’s write a short Python script to decode the Base64 string:
import base64 cipher = "cGljb0NURntNRTc0RDQ3QV9ISUREM05fYjMyMDQwYjh9Cg==" plain = base64.b64decode(cipher).decode() print(plain)
Run the script:
$ python3 decode.py
picoCTF{ME74D47A_HIDD3N_b32040b8}
✅ Explanation:
- The
base64module in Python allows easy encoding and decoding. .b64decode()converts the Base64 string into readable text..decode()changes the byte output into a normal string.
🏁 Step 5: Capture the Flag
🎉 Final Flag:
picoCTF{ME74D47A_HIDD3N_b32040b8}
🧠 Summary
| Step | Command | Purpose | Key Result |
|---|---|---|---|
| 1 | unzip | Extract files | Found ukn_reality.jpg |
| 2 | exiftool | View metadata | Found Base64 string in Attribution URL |
| 3 | Python script | Decode Base64 | Revealed the flag |
💡 Beginner Tips
- Always check metadata when images look normal but hide information.
- Base64 strings usually contain
=at the end — a strong clue for encoding. exiftoolis one of the most useful tools in forensics CTF challenges for hidden data discovery.- Keep your scripts simple — Python’s
base64library is enough for decoding tasks.