Ninja-Nerds — UMass Cybersecurity CTF

Description

Organizer description was not preserved in the local task files.

The challenge provided a single PNG image, challenge.png. Basic file and metadata checks were clean, so the goal was to determine whether the payload was hidden inside image pixel data rather than in appended data or unusual PNG chunks.

Analysis

Initial recon showed a normal PNG:

file challenge.png
# PNG image data, 640 x 360, 8-bit/color RGB, non-interlaced

exiftool challenge.png
# normal metadata only

pngcheck challenge.png
# valid PNG, no suspicious chunks

strings challenge.png
# nothing useful

That ruled out the easiest container-level tricks. Since the file structure looked clean, the remaining likely hiding places were the RGB pixel channels and their bit planes.

Reviewing similar stego writeups for PNG bit-plane analysis suggested checking channels independently instead of treating the image as one flat byte stream. That mattered here because the payload was not spread across all pixels equally: it was stored only in the least significant bit of the blue channel.

The second key detail was byte assembly order. Grouping the extracted bits MSB-first into bytes produced readable text immediately, including the full flag.

Solution

1. Verify the PNG is structurally normal

Use file, exiftool, pngcheck, and strings to confirm there is no obvious metadata leak, appended archive, or suspicious custom PNG chunk.

2. Extract one channel at a time

Treat the image as an RGB array and isolate the blue channel (arr[:, :, 2]). Then keep only its least significant bit with & 1.

3. Rebuild bytes from the bit stream

...