The SOC analyst saw one image been sent back and forth between two people. They decided to investigate and found out that there was more than what meets the eye here.
Solution
For this challenge we are given a PNG file named flag.png.
For image forensics, there are a few tools that come to mind that are similarly used for reverse engineering. These being strings, exiftool, binwalk and probably some others I'm forgetting to mention.
After performing using the strings command on the file, we get a few strings that seem of interest.
This seems to hint to the fact of there being an embedded file in the PNG. Therefore, my next approach uses binwalk, a "fast, easy to use tool for analyzing, reverse engineering, and extracting firmware images."
% binwalk flag.png
DECIMAL HEXADECIMAL DESCRIPTION
--------------------------------------------------------------------------------
0 0x0 PNG image, 512 x 504, 8-bit/color RGBA, non-interlaced
41 0x29 Zlib compressed data, compressed
39739 0x9B3B Zip archive data, at least v1.0 to extract, name: secret/
39804 0x9B7C Zip archive data, at least v2.0 to extract, compressed size: 2869, uncompressed size: 3024, name: secret/flag.png
42908 0xA79C End of Zip archive, footer length: 22
We can see the zip archive "secret/" that we saw above using the strings program. Now we use the -e flag to extract the archive from the file.
The output of this command generates a _flag.png.extracted directory with our results.
% binwalk -e flag.png
DECIMAL HEXADECIMAL DESCRIPTION
--------------------------------------------------------------------------------
0 0x0 PNG image, 512 x 504, 8-bit/color RGBA, non-interlaced
41 0x29 Zlib compressed data, compressed
39739 0x9B3B Zip archive data, at least v1.0 to extract, name: secret/
39804 0x9B7C Zip archive data, at least v2.0 to extract, compressed size: 2869, uncompressed size: 3024, name: secret/flag.png
42908 0xA79C End of Zip archive, footer length: 22
% cd _flag.png.extracted
% ll
total 48
-rw-r--r--. 1 matthew matthew 0 May 18 11:08 29
-rw-r--r--. 1 matthew matthew 42889 May 18 11:08 29.zlib
-rw-r--r--. 1 matthew matthew 3191 May 18 11:08 9B3B.zip
drwxr-xr-x. 1 matthew matthew 16 Mar 15 22:01 secret
% cd secret
% ll
total 4
-rw-r--r--. 1 matthew matthew 3024 Mar 15 22:01 flag.png
Once we open the flag.png file in the secret/ directory we are given the flag.
Flag
The flag is a little hard to make out but picoCTF{Hiddinng_An_imag3_within_@n_ima9e_cda72af0}