Link: (only for logged in users)
Points: 100
Category: Misc


Find the flag.

This problem is not image based on steganography.


Take data from IDAT chunk, decompress it and grep for TWCTF.

Solution explanation

The first step in every image based challenge is to look at its metadata:

We can notice two important things while solving this task:

  • image size is 1200x848px
  • identify notices some Extra compressed/compression data – the flag?

To understand what it means, basic knowledge of PNG “backstage” is required.

PNG data is organized as chunks. A chunk is a set of bytes containing the following information:

  • Length – 4 bytes
  • Chunk type – 4 bytes
  • Chunk data – Length bytes
  • CRC – 4 bytes

One of chunks type is IDAT. There can be many of them in one PNG file. IDAT chunks contain compressed information about pixels in the image.
We can get this information with simple Python script:

This function returns 4071274 bytes. They are organized in scanlines which represent information about pixels in each line of an image (3 bytes per pixel) with one additional byte representing filter applied to this line. Knowing that, we can calculate how many bytes we should have and remove them (we are only interested in that “additional compressed data”).

Leave a Reply

Your email address will not be published. Required fields are marked *