Contents

Information

Description

Files can always be changed in a secret way. Can you find the flag? cat.jpg

Step 1

We’ve downloaded the picture of a cat infront of a computer.
Let’s check it with file cat.jpg which outputs:

cat.jpg: JPEG image data, JFIF standard 1.02, aspect ratio, density 1x1, segment length 16, baseline, precision 8, 2560x1598, components 3

Not that interesting…

Step 2

Let’s try binwalk to check image headers for potentially, interesting hex values
binwalk cat.jpg

DECIMAL       HEXADECIMAL     DESCRIPTION
--------------------------------------------------------------------------------
0             0x0             JPEG image data, JFIF standard 1.02

Nothing to see here either…

Step 3

Let’s try strings to see any printable characters in the file and pipe it with a search for something that might look like a flag: strings cat.jpg | grep pico
Nothing once more…

Step 4

Let’s try something different. We can inspect many more properties on an image with the tool “exiftool” and run exiftool cat.jpg

ExifTool Version Number         : 12.16
File Name                       : cat.jpg
Directory                       : .
File Size                       : 858 KiB
File Modification Date/Time     : 2021:07:15 16:25:10+02:00
File Access Date/Time           : 2021:07:15 16:25:10+02:00
File Inode Change Date/Time     : 2021:07:15 16:25:10+02:00
File Permissions                : rw-r--r--
File Type                       : JPEG
File Type Extension             : jpg
MIME Type                       : image/jpeg
JFIF Version                    : 1.02
Resolution Unit                 : None
X Resolution                    : 1
Y Resolution                    : 1
Current IPTC Digest             : 7a78f3d9cfb1ce42ab5a3aa30573d617
Copyright Notice                : PicoCTF
Application Record Version      : 4
XMP Toolkit                     : Image::ExifTool 10.80
License                         : cGljb0NURnt0aGVfbTN0YWRhdGFfMXNfbW9kaWZpZWR9
Rights                          : PicoCTF
Image Width                     : 2560
Image Height                    : 1598
Encoding Process                : Baseline DCT, Huffman coding
Bits Per Sample                 : 8
Color Components                : 3
Y Cb Cr Sub Sampling            : YCbCr4:2:0 (2 2)
Image Size                      : 2560x1598
Megapixels                      : 4.1

Step 5

The License string looks like base64 which we can decode using cyberchef or just in terminal like this echo cGljb0NURnt0aGVfbTN0YWRhdGFfMXNfbW9kaWZpZWR9 | base64 -d.
And there’s our flag!