🔍 RED
A detailed write-up of the Forensics challenge 'RED' from PicoCTF - 2025
📊 Challenge Overview
Category Details Additional Info 🏆 Event PicoCTF - 2025 Event Link 🔰 Category Forensics 🔍 💎 Points 100 Out of 500 total ⭐ Difficulty 🟢 Easy Personal Rating: 3/10 👤 Author Shuailin Pan (LeConjuror) Profile 🎮 Solves (At the time of flag submission) 3.066 solve rate 📅 Date 14-03-2025 PicoCTF - 2025 🦾 Solved By mH4ck3r0n3 Team:
📝 Challenge Information
RED, RED, RED, RED Download the image: red.png
🎯 Challenge Files & Infrastructure
Provided Files
Files:
🔍 Initial Analysis
First Steps
The first thing I did after reading the description was use
exiftool
to see if there was anything interesting in the image’s metadata:And as we can see, it specifies
Poem
:Crimson heart, vibrant and bold,.Hearts flutter at your sight..Evenings glow softly red,.Cherries burst with sweet life..Kisses linger with your warmth..Love deep as merlot..Scarlet leaves falling softly,.Bold in every stroke.
. Initially, it doesn’t make much sense… but later I noticed that the uppercase letters form the phraseCHECK LSB
. So I researched and found that it’s possible, through a steganography technique, to write messages in theLSB (Least Significant Bit)
. Let’s proceed to the exploitation phase.
🔬 Vulnerability Analysis
Potential Vulnerabilities
- LSB Extraction
🎯 Solution Path
Exploitation Steps
Exploitation
The exploitation was quite simple, in fact, I used aperisolve by uploading the image, and I noticed that with
zsteg
it extracted a.text
field containing a base64, so I decided to replicate the same process out of curiosity:
1
zsteg --lsb red.png
I extracted the base64 and decoded it, thus finding the flag.
Flag capture
🛠️ Exploitation Process
Approach
The automatic exploit extracts the base64 from the LSB and performs the decode.
🚩 Flag Capture
FlagpicoCTF{r3d_1s_th3_ult1m4t3_cur3_f0r_54dn355_}
Proof of Execution
🔧 Tools Used
Tool Purpose Python Exploit Aperisolve Full Image Analysis Exiftool Metadata Extraction Zsteg LSB Extraction
💡 Key Learnings
New Knowledge
I learned how messages are embedded in the LSB (Least Significant Bit) of a file.
Time Optimization
- Run
exiftool
immediately or have the image analyzed by https://www.aperisolve.com/.
Skills Improved
- Binary Exploitation
- Reverse Engineering
- Web Exploitation
- Cryptography
- Forensics
- OSINT
- Miscellaneous
📚 References & Resources
Learning Resources
📊 Final Statistics
Metric | Value | Notes |
---|---|---|
Time to Solve | 00:15 | From start to flag |
Global Ranking (At the time of flag submission) | 1248/10408 | Challenge ranking |
Points Earned | 100 | Team contribution |
Created: 14-03-2025 • Last Modified: 14-03-2025 *Author: mH4ck3r0n3 • Team: *