UMassCTF 2026 - Ninja-Nerds

Posted on In Views: Disqus:

where are your little ninja-nerds?

Initial Analysis

The challenge provided a single image file: challenge.png. Initial investigation focused on gathering basic information about the file and its metadata.

  • File Type: Standard PNG image (640x360).
  • Metadata: exiftool showed no unusual comments or hidden fields.
  • Strings: Running strings did not reveal the flag in plain text, suggesting it was encoded or hidden within the pixel data.
  • Embedded Files: binwalk did not detect any appended files (like zips or other images).

Given that the file appeared to be a clean PNG with no obvious trailing data or metadata tricks, I suspected LSB (Least Significant Bit) Steganography. This technique hides data by slightly modifying the last bit of color values (Red, Green, or Blue), which is invisible to the human eye.

Solution

To extract the hidden data, we can either use automated tools or a custom script to parse the LSBs from each color plane.

1. Automated Approach

Using zsteg, we can quickly scan for common LSB patterns: 

1
zsteg -E "b1,b,lsb,xy" challenge.png | strings | grep "UMASS{"

2. Manual Extraction Script

Alternatively, using the Pillow library in Python allows for precise extraction from specific color channels.

1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
import PIL.Image

def extract_lsb(image_path):
    img = PIL.Image.open(image_path)
    pixels = img.load()
    width, height = img.size

    # Check Red (0), Green (1), and Blue (2) planes
    for plane in range(3):
        lsb_data = bytearray()
        current_byte = 0
        bit_count = 0
        for y in range(height):
            for x in range(width):
                pixel = pixels[x, y]
                bit = pixel[plane] & 1 # Extract LSB
                current_byte = (current_byte << 1) | bit
                bit_count += 1
                if bit_count == 8:
                    lsb_data.append(current_byte)
                    current_byte = 0
                    bit_count = 0

        if b"UMASS{" in lsb_data:
            print(f"Found flag in Plane {plane}!")
            # Logic to print the found string...

Running the extraction against the color planes reveals that the flag is hidden in the Blue channel (Plane 2).

Flag

UMASS{perfectly-hidden-ready-to-strike}