July 4, 2026
Hidden in Plainsight | PicoCTF Forensics
This is my writeup for Hidden in Plainsight, an Easy-rated Forensics challenge on PicoCTF.
By Khushbu
3 min read
The Challenge
"You're given a seemingly ordinary JPG image. Something is tucked away out of sight inside the file. Your task is to discover the hidden payload and extract the flag."
A single JPG file. No server, no netcat connection this time. Just an image that looked completely normal.
Step 1 — Check the Metadata
My first instinct was that the flag couldn't possibly be visible in the image itself — that would be too easy for a CTF. Hidden data in image files is often tucked into the metadata, the information attached to a file that describes it but isn't part of the visible picture.
I uploaded the image to an online metadata viewer and checked every field. Most of it was the usual technical noise — camera details, file size, timestamps.
But one field stood out:
comment: c3RlZ2hpZGU6Y0VGNmVuZHZjbVE9comment: c3RlZ2hpZGU6Y0VGNmVuZHZjbVE9A comment field is not something a normal photo usually has filled in with a random-looking string. That was my signal to keep digging.
Step 2 — Recognise the Encoding
The string c3RlZ2hpZGU2... had a very specific look to it — letters and numbers ending in =. That pattern is a strong giveaway for Base64 encoding.
I decoded it and got:
steghide:cEF6endvcmQ9steghide:cEF6endvcmQ9Progress — but not the final answer. This decoded string had two parts: the word steghide followed by a colon, and then another Base64-looking string.
Step 3 — Decode Again
steghide immediately told me what tool I'd eventually need. But first I had to deal with the second encoded piece:
cEF6endvcmQ9cEF6endvcmQ9Decoded again:
pAzzwordpAzzwordSo now I had two critical pieces of information sitting right there in the metadata, hidden in plain sight (literally the name of the challenge):
- The tool to use:
steghide - The password to use with it:
pAzzword
Step 4 — What is Steghide?
I had never used steghide before this challenge. It's a tool used for steganography — the practice of hiding data inside other files, like images or audio, in a way that doesn't visibly change them. The image still looks completely normal to the human eye, but extra data is embedded inside its file structure, often protected with a password.
The challenge had handed me the password through its own metadata. I just needed to use it correctly.
Step 5 — Extract the Hidden Data
steghide extract -sf "img.jpg" -p "pAzzword"steghide extract -sf "img.jpg" -p "pAzzword"Breaking this down:
steghide extract— tells the tool to pull out hidden data rather than embed new data-sf "img.jpg"— specifies the source file to extract from-p "pAzzword"— provides the password needed to unlock the hidden content
The output:
wrote extracted data to "flag.txt".wrote extracted data to "flag.txt".A new file appeared. I read it immediately:
cat flag.txt
picoCTF{h1dd3n_1n_1m4g3_f051f2e8}cat flag.txt
picoCTF{h1dd3n_1n_1m4g3_f051f2e8}Flag captured.
What I Actually Learned
1. Metadata is a real attack surface. Most people never check a file's metadata. CTFs — and real forensics investigations — often start exactly there, because attackers and challenge designers alike know most people skip it.
2. Encoding chains are common. This challenge stacked two layers of Base64 before even reaching the real password. Don't stop decoding just because the first result looks like nonsense — check if the output itself is another encoded string.
3. Steganography is a real and ongoing exploitation method. Hiding data inside images is not just a CTF gimmick — it has genuinely been used to leak data or hide malware in ways that bypass simple file scanning, because the image still looks and opens completely normally.
4. The challenge name was a literal clue. "Hidden in Plainsight" wasn't just a clever title — it was telling me exactly where to look from the start. The password and tool name were never hidden behind some complex puzzle, they were sitting openly in a metadata field most people never bother to check.
Tools Used
Online metadata viewer — for inspecting the JPG's embedded metadata fields
Base64 decoder — for unwrapping two layers of encoded text
steghide — for extracting the actual hidden payload from inside the image file
Difficulty
Easy — but it taught me an entirely new category of thinking. Cryptography challenges so far have been about cracking or reversing something mathematical. This was about investigating — checking every available surface of a file, not assuming the obvious appearance is the whole story.
Follow this blog for weekly CTF writeups — honest, beginner level, no shortcuts.
GitHub: github.com/CipherCoded-Dev