picoCTF CanYouSee — Forensics Challenge- Walkthrough

This challenge involves analysing an image file and uncover hidden information embedded within it.

Site URL: https://play.picoctf.org/practice/challenge/408?category=4&difficulty=1&page=1&search=

Description

How about some hide and seek? Download this file here.

Hints

1. How can you view the information about the picture?
2. If something isn’t in the expected form, maybe it deserves attention?

Solution

Download the File by Clicking on the link provided in the challenge and download the given file.

Open PowerShell and navigate to Downloads folder

cd ~/Downloads

Locate the Most Recently Modified File

Get-ChildItem | Sort-Object LastWriteTime -Descending | Select-Object -First 1

We located and opened the latest .

Extract the ZIP File

Expand-Archive -Path "$env:USERPROFILE\Downloads\unknown.zip" -DestinationPath "$env:USERPROFILE\Downloads\extracted" -Force

List Extracted Files

Get-ChildItem -Path "$env:USERPROFILE\Downloads\extracted" -Recurse

Check the First 16 Bytes (Magic Bytes)

Format-Hex "$env:USERPROFILE\Downloads\extracted\ukn_reality.jpg" | Select-Object -First 1

The magic bytes at the start of the file are: FF D8 FF E0

• FF D8 FF - JPEG Start-of-Image (SOI) marker
• E0 - JFIF format (JPEG File Interchange Format)

This confirms that the file is at least a valid JPEG, but there might be hidden data inside it.

Install Chocolatey and Use It to Install ExifTool

Chocolatey is a package manager for Windows, similar to apt (Ubuntu/Linux) . It allows users to easily install, update, and manage software from the command line.

Set-ExecutionPolicy Bypass -Scope Process -Force; [System.Net.ServicePointManager]::SecurityProtocol = [System.Net.ServicePointManager]::SecurityProtocol -bor 3072; iex ((New-Object System.Net.WebClient).DownloadString('https://community.chocolatey.org/install.ps1'))

After installation, restart PowerShell.

Start-Process PowerShell -Verb RunAs

Verify Chocolatey Installation

choco -v

Install ExifTool

a command-line tool used to read, write, and edit metadata in images, videos, and other media files.

ExifTool is often used in digital forensics to extract metadata from images, which may contain hidden information such as GPS coordinates, timestamps, or embedded messa

choco install exiftool -y

Analyze ukn_reality.jpg

exiftool "$env:USERPROFILE\Downloads\extracted\ukn_reality.jpg"

Key Findings in the Metadata:

• File Type: JPEG (image/jpeg)
• File Size: 2.3 MB
• Image Dimensions: 4308 x 2875 pixels
• Encoding Process: Baseline DCT, Huffman coding (common for JPEG)
• Metadata Tool Used: ExifTool 11.88
• Attribution URL: cGljb0NURntNRTc0RDQ3QV9ISUREM05fNmE5ZjVhYzR9Cg==
  (This is Base64 encoded because it contains only valid Base64 characters and includes = padding at the end.)

Decode the Base64 String

Open: https://www.base64decode.org/

Decode cGljD0NURntNRTC0RDQ3QV9ISUREM05fNmE5ZjYzR9Cg==

or

Decoded the Base64 String

[System.Text.Encoding]::UTF8.GetString([System.Convert]::FromBase64String("cGljb0NURntNRTc0RDQ3QV9ISUREM05fNmE5ZjVhYzR9Cg=="))

Flag: picoCTF{ME74D47A_HIDD3N_6a9f5ac4}

Final Thoughts

This challenge provided a great opportunity to apply practical cybersecurity skills in metadata analysis, Base64 decoding, and forensic investigation — key techniques used in real-world digital forensics and Capture The Flag (CTF) competitions.

By following a structured methodology, we successfully:

• Downloaded and analyzed the given file.
• Verified the file type and metadata using PowerShell and ExifTool.
• Discovered an embedded Base64-encoded string in the image metadata.
• Decoded the Base64 string to reveal the hidden flag.

This challenge highlights the significance of metadata in digital forensics. Sensitive information can often be stored within metadata fields, and attackers may use it to embed malicious data or exfiltrate information covertly. Understanding how to extract and analyze metadata is crucial for cybersecurity professionals, as it plays a role in threat hunting, malware analysis, and forensic investigations.

Key Takeaway

In cybersecurity, information is often hidden in plain sight. Metadata, file properties, and encodings can contain valuable clues that lead to crucial discoveries. Whether investigating digital forensics cases, analyzing malware, or participating in CTFs, knowing how to uncover hidden data is an essential skill.

Stay curious, question everything, and always dig deeper — because in cybersecurity, the details often hold the key to the solution.