Scan Surprise : picoCTF
Abdelwahab A. Shandy ๐ฆ
Digital Forensics Investigation Report (DFIR)
Case: Scan Surprise โ picoCTF
Author: Jeffery John
Date: August 23, 2025
Investigator: Abdelwahab Shandy
1) Identification
Description:
In CTF challenges, flags are usually delivered as plain text. However, in this challenge the flag was embedded inside an image (PNG).
Indicators of Compromise (IOCs):
File:
flag.png(350 bytes).File type: PNG โ dimensions 99x99 โ colormap 1-bit.
Media: Available via
challenge.zipand also through SSH.SSH server fingerprint:
atlas.picoctf.net:52728 Fingerprint: SHA256:QF0l+8x0mwmM2QvewTSPdDEvkELbQihq9zN4rUKog8k
Technical Goal:
Determine whether the image contains a hidden flag (QR code) or encrypted data.
2) Acquisition
Actions:
Downloaded the challenge archive:
wget https://artifacts.picoctf.net/c_atlas/13/challenge.zip unzip challenge.zipExtracted files revealed the path:
home/ctf-player/drop-in/flag.pngThe file size (350 bytes) was suspiciously small, suggesting it was not a regular image but likely a QR code.
Rationale:
Obtaining a local copy of the evidence (flag.png) avoids reliance on the server and allows repeated offline analysis.
3) Preservation
Preservation Measures:
Used
file,stat, andexiftoolcommands to inspect metadata without modifying the file.No changes were made to file permissions or content of
flag.png.Created a secondary copy (
ScanSurprise.png) for working analysis.
Rationale:
Ensuring the integrity of the digital evidence while enabling safe testing on a duplicate.
4) Analysis
Tools Used:
Exif / Exiftool: No hidden metadata found (no EXIF).
file: Confirmed PNG format (99x99, 1-bit).
zbarimg: Used to scan for QR codes.
Verification via SSH:
ssh -p 52728 ctf-player@atlas.picoctf.net
zbarimg flag.png
Output:
QR-Code:picoCTF{p33k_@_b00_d4ca652e}
Verification Locally (after installing zbar-tools):
sudo apt install zbar-tools
zbarimg flag.png
Output:
QR-Code:picoCTF{p33k_@_b00_d4ca652e}
Analysis:
The flag was hidden inside a QR code, not in text, metadata, or steganography.
Only zbarimg was able to accurately extract the content.
Attempts using exif or manual inspection did not reveal the flag because it required a QR scan.
5) Reporting
Final Result:
Extracted flag:
picoCTF{p33k_@_b00_d4ca652e}flag.pngcontained a hidden QR code image (99x99).Results were verified both locally and on the challenge server.
Lessons Learned:
Verify formats: Small image size and dimensions can indicate QR/barcode.
Use the right tool: EXIF tools failed, but
zbarimgsucceeded immediately.Preserve first: Creating a duplicate (
ScanSurprise.png) protected the original evidence.Cross-validation: Testing locally and remotely confirmed consistent results.
Appendix A โ Key Commands
wget https://artifacts.picoctf.net/c_atlas/13/challenge.zip
unzip challenge.zip
file flag.png
exiftool flag.png
zbarimg flag.png
Appendix B โ Extracted Flag
picoCTF{p33k_@_b00_d4ca652e}
๐ฌ "Control the code, and you control the world." ๐ From wiping metadata to gaining root access โ every step is documented and my goal is to deeply understand the system, not just hack!
See You Soon
AS Cyber โ)).
Subscribe to my newsletter
Read articles from Abdelwahab A. Shandy ๐ฆ directly inside your inbox. Subscribe to the newsletter, and don't miss out.
Written by
Abdelwahab A. Shandy ๐ฆ
Abdelwahab A. Shandy ๐ฆ
Welcome to my profile! I'm an Information Systems student with a strong passion for cybersecurity and backend development. My curiosity drives me to dive deep into the complex mechanisms of the digital world and uncover the behind-the-scenes magic of programming. I hold certifications from Google, Infosec, Cisco, Try Hack Me, and the Information Technology Institute (ITI), I'm on an exciting journey of continuous learning and skill expansionโready to embrace the future of technology! ๐ Letโs connect, collaborate, and explore the vast world of tech together!