05. information - PicoCTF 2021 Writeup

Category: Forensics | Author: Susie | Points: 10

Hello All 👋,

This is also an interesting challenge. All we get is an image file. So first off we'll download it; then what? Well, let's open it and see what we can find. Turns out it's an actual JPEG file. Let's check the image to see if there's anything hidden in it. But other than a cute kitten there's nothing else here!

Well, the image alone doesn't seem to contain any information. But the thing is, with a JPEG file, the image is not the only information you get. You also get information on what's called 'Metadata'. Metadata is simply speaking 'Data that provide information about other data.' You can find more information on Wikipedia.

In the case of JPEG files, we get metadata called Exchangeable image file format (EXIF) Metadata. This information includes things such as the camera manufacturer, camera model, geolocation data and even whether the flasher was used. So the next best thing would be to check these data.

We can check the metadata easily by using a tool called ExifTool. Let's first install it on our Ubuntu machine with the following command.

sudo apt-get install exiftool

Once done, we can use the tool to list out all the EXIF information of the file using the below command. Make sure that you're in the correct folder.

exiftool cat.jpg

If we look through the listed parameters, we see an interesting entry in the License section. It is a random mess of characters. With our experience, we know that whenever we see a random mess of characters, some sort of encoding has to be going on here.

So, let's go ahead and use the following tool to try and decode it to text. Here, [string] means the string we found in the License parameter. What we're basically asking the terminal to do is to echo out the reply we get if we copy the same string to the terminal, but after decoding it from Base64.

echo [string] | base64 -d

Voila, that's the flag right there!