🔍 RED

A detailed write-up of the Forensics challenge 'RED' from PicoCTF - 2025

mH4ck3r0n3 Ethical Hacking/CTFs/Jeopardy/PicoCTF-2025/Forensics

19/03/2025 413 words 2 minutes

Contents

/images/PicoCTF-2025/Forensics/RED/challenge_presentation.png — Challenge Presentation

📊 Challenge Overview

Category Details Additional Info

🏆 Event PicoCTF - 2025 Event Link

🔰 Category Forensics 🔍

💎 Points 100 Out of 500 total

⭐ Difficulty 🟢 Easy Personal Rating: 3/10

👤 Author Shuailin Pan (LeConjuror) Profile

🎮 Solves (At the time of flag submission) 3.066 solve rate

📅 Date 14-03-2025 PicoCTF - 2025

🦾 Solved By mH4ck3r0n3 Team:

Category	Details	Additional Info
🏆 Event	PicoCTF - 2025	Event Link
🔰 Category	Forensics	🔍
💎 Points	100	Out of 500 total
⭐ Difficulty	🟢 Easy	Personal Rating: 3/10
👤 Author	Shuailin Pan (LeConjuror)	Profile
🎮 Solves (At the time of flag submission)	3.066	solve rate
📅 Date	14-03-2025	PicoCTF - 2025
🦾 Solved By	mH4ck3r0n3	Team:

📝 Challenge Information

RED, RED, RED, RED Download the image: red.png

🎯 Challenge Files & Infrastructure

Provided Files

Files:

Attached Files

🔍 Initial Analysis

First Steps

The first thing I did after reading the description was use exiftool to see if there was anything interesting in the image’s metadata:

Exiftool

And as we can see, it specifies Poem:Crimson heart, vibrant and bold,.Hearts flutter at your sight..Evenings glow softly red,.Cherries burst with sweet life..Kisses linger with your warmth..Love deep as merlot..Scarlet leaves falling softly,.Bold in every stroke.. Initially, it doesn’t make much sense… but later I noticed that the uppercase letters form the phrase CHECK LSB. So I researched and found that it’s possible, through a steganography technique, to write messages in the LSB (Least Significant Bit). Let’s proceed to the exploitation phase.

🔬 Vulnerability Analysis

Potential Vulnerabilities

LSB Extraction

🎯 Solution Path

Exploitation Steps

Exploitation

The exploitation was quite simple, in fact, I used aperisolve by uploading the image, and I noticed that with zsteg it extracted a .text field containing a base64, so I decided to replicate the same process out of curiosity:
1
zsteg --lsb red.png
Zsteg

I extracted the base64 and decoded it, thus finding the flag.

Flag capture

Manual Flag

🛠️ Exploitation Process

Approach

The automatic exploit extracts the base64 from the LSB and performs the decode.

Exploit

🚩 Flag Capture

Flag

picoCTF{r3d_1s_th3_ult1m4t3_cur3_f0r_54dn355_}

Proof of Execution

Automated Flag

Screenshot of successful exploitation

🔧 Tools Used

Tool Purpose

Python Exploit

Aperisolve Full Image Analysis

Exiftool Metadata Extraction

Zsteg LSB Extraction

Tool	Purpose
Python	Exploit
Aperisolve	Full Image Analysis
Exiftool	Metadata Extraction
Zsteg	LSB Extraction

💡 Key Learnings

New Knowledge

I learned how messages are embedded in the LSB (Least Significant Bit) of a file.

Time Optimization

Run exiftool immediately or have the image analyzed by https://www.aperisolve.com/.

Skills Improved

Binary Exploitation

Reverse Engineering

Web Exploitation

Cryptography

Forensics

OSINT

Miscellaneous

📚 References & Resources

Learning Resources

https://www.cybrary.it/blog/hide-secret-message-inside-image-using-lsb-steganography

📊 Final Statistics

Metric	Value	Notes
Time to Solve	00:15	From start to flag
Global Ranking (At the time of flag submission)	1248/10408	Challenge ranking
Points Earned	100	Team contribution

Created: 14-03-2025 • Last Modified: 14-03-2025 *Author: mH4ck3r0n3 • Team: *