exiftool
ExifTool reads (and writes) metadata in virtually every image format: EXIF, XMP, IPTC, ICC profiles, maker notes and dozens of proprietary blocks. Metadata is the single most common hiding spot for CTF flags.
What Aperi'Solve runs
$ exiftool -a -u -g1 image.jpg
-ashows duplicated tags instead of hiding them.-ushows unknown tags — where hand-crafted data usually hides.-g1groups the output by metadata block.
Fields worth reading first
| Field | Why it matters |
|---|---|
Comment / UserComment |
Free-text fields, the classic flag location |
Artist, Author, Copyright, Software |
Free-text, often overlooked |
ImageDescription, XPTitle, XPComment |
More free-text variants |
GPS* |
Coordinates can encode a location-based hint |
ThumbnailImage |
The embedded thumbnail may differ from the visible image |
Unknown tags (-u) |
Arbitrary attacker/author-controlled data |
Extracting binary metadata
Some fields contain whole files (thumbnails, ICC profiles):
$ exiftool -b -ThumbnailImage image.jpg > thumb.jpg
$ exiftool -b -ICC_Profile image.jpg > profile.icc
Installing locally
$ apt install libimage-exiftool-perl
Common CTF patterns
- Base64 in
Comment— decode anything that looks likeZmxh.... - A flag split across several metadata fields.
- The thumbnail shows the original image before sensitive content was cropped or masked.
- Timestamps/GPS encoding a puzzle (dates as ASCII codes, coordinates pointing at a place name).