picoCTF - Glory of the Garden

2024-11-23

I've started to do some CTF challenges just for fun and to learn something new.

This is my writeup of the picoCTF - Glory of the Garden.

screenshot of the challenge description

The link points to the following image

image of a garden

As this challenge is marked as easy and considering the challenge description I knew that the flag would be hidden somewhere in the image data and I just had to search for it somehow. Image is just a byte array where each byte describes a pixel in the image. I knew the bytes would contain the flag.

I have downloaded the image with the wget command.
$wget https://jupiter.challenges.picoctf.org/static/4153422e18d40363e7ffc7e15a108683/garden.jpg

Afterwards I used google to find a command or tool which would convert the image in jpg format into file where I could look at individual bytes. I have found hexdump to do what I wanted. Hexdump displays file contents in hexadecimal, decimal, octal, or ascii.

I have used hexdump with the -C option to display ascii values and redirected its output into garden_dump file.
$hexdump -C garden.jpg > garden_dump
This is what the dump looks like

screenshot of the garden image hexdump

First I wanted to search for the flag myself by reading the file so I opened the file with the cat command and immediately saw that that's not a good idea because the file has 2999x2249 pixels and it's a three channel image with 8 bit depth so that is 2999x2249x3 bytes. I redirected the output of the cat into grep and searched for the word flag.
$cat garden_dump | grep flag

The search was successful and displayed the following line:

screenshot of the grep command output

The first number 00230560 is the input offset in hexadecimal. I wanted to look at the bytes around that offset. Using the head command with the option -c you can look at first number of bytes. So I converted the 00230560 into decimal which is 2295136 and multiplied with 16 because the displayed lines had 16 bytes. So 2295136x16 is 36722176. When I run the command
$head -36722176 garden_dump
it started to print all the bytes from the beginning of the file so I stopped it. I wanted to display only few bytes starting at that offset so I thought about redirecting the output into tail command:
$head -36722176 garden_dump | tail -n 10
which displayed the last 10 bytes and I could see that flag.

screenshot of the flag