Description
RED, RED, RED, RED
Download the image: red.png
🧩 Challenge Description
At first glance, this looks like a simple image file. But in CTFs, appearances can be deceiving — there’s usually hidden information somewhere inside.
🔍 Step 1: Checking the file type with file
We start by checking what kind of file this really is:
$ file red.png red.png: PNG image data, 128 x 128, 8-bit/color RGBA, non-interlaced
✅ Explanation:
The file command inspects a file’s binary signature and tells us what type it is.
Here, it confirms it’s a PNG image with an alpha (transparency) channel.
🖼 Step 2: Viewing metadata with exiftool
Next, let’s inspect the image metadata — sometimes CTF hints are hidden there!
$ exiftool red.png ... Poem : Crimson heart, vibrant and bold,.Hearts flutter at your sight.. Evenings glow softly red,.Cherries burst with sweet life.. Kisses linger with your warmth..Love deep as merlot.. Scarlet leaves falling softly,.Bold in every stroke.
✅ Explanation:exiftool displays metadata — extra information stored inside image files.
Here, we find something suspicious: a “Poem” field.
✍️ Step 3: Extracting a hidden clue from the poem
Let’s take the first letter of each sentence in the poem:
Crimson
Hearts
Evenings
Cherries
Kisses
Love
Scarlet
Bold
That spells out → CHECKLSB
✅ Explanation:
“LSB” stands for Least Significant Bit, a classic steganography method used to hide data inside image pixels.
🔧 Step 4: Installing and using zsteg
To analyze LSB data in PNGs, we use a tool called zsteg.
⚠️ Note:
zstegis not included in standard Linux repositories, so we need to install it manually.
Installation (Ubuntu / Debian)
$ sudo apt update $ sudo apt install ruby ruby-dev imagemagick libmagickwand-dev $ sudo gem install zsteg
✅ Explanation:
rubyandruby-dev→ Needed to run Ruby-based toolsimagemagick→ Used internally by zsteg to read imagesgem install zsteg→ Installs the tool itself
Now we can analyze the image:
$ zsteg red.png ... b1,rgba,lsb,xy .. text: "cGljb0NURntyM2RfMXNfdGgzX3VsdDFtNHQzX2N1cjNfZjByXzU0ZG4zNTVffQ=="
✅ Explanation:zsteg checks various bit planes (like LSB, MSB, RGB channels) for hidden data.
We found a Base64-encoded string here!
🔡 Step 5: Decoding Base64
The string found is:
cGljb0NURntyM2RfMXNfdGgzX3VsdDFtNHQzX2N1cjNfZjByXzU0ZG4zNTVffQ==
Base64 is a simple encoding that turns binary data into readable text.
We can decode it easily using Python.
import base64 cipher = "cGljb0NURntyM2RfMXNfdGgzX3VsdDFtNHQzX2N1cjNfZjByXzU0ZG4zNTVffQ==" plain = base64.b64decode(cipher).decode() print(plain)
Run it:
$ python3 decode.py
picoCTF{r3d_1s_th3_ult1m4t3_cur3_f0r_54dn355_}
🏁 Final Flag
picoCTF{r3d_1s_th3_ult1m4t3_cur3_f0r_54dn355_}
🧠 Summary
| Step | Tool | Purpose | Key Finding |
|---|---|---|---|
| 1 | file | Check file type | PNG image |
| 2 | exiftool | Read metadata | Found a hidden poem |
| 3 | Manual | Take first letters | “CHECKLSB” |
| 4 | zsteg | Steganography scan | Found Base64 string |
| 5 | python | Decode Base64 | Revealed flag |
🗝️ Takeaway for Beginners
- Always check metadata and LSB for hidden info in image challenges.
- Tools like
exiftoolandzstegare standard in CTF image forensics. - When you see gibberish ending with
=or==, think Base64.