strings

strings (part of GNU binutils) extracts every run of printable characters from a binary file. On a CTF image it surfaces metadata text, tool signatures and — surprisingly often — a flag pasted straight into the file.

What Aperi'Solve runs

$ strings image.png

By default it prints every run of 4+ printable ASCII characters, in file order.

Reading the output

Most lines are noise: compressed image data randomly forms short printable runs. Look for the readable islands:

IHDR
Adobe Photoshop 2024
XML:com.adobe.xmp
aHR0cHM6Ly9leGFtcGxlLmNvbQ==
CTF{str1ngs_f1rst_alw4ys}
  • Chunk/segment names (IHDR, IDAT, JFIF, Exif) are normal format structure; editor signatures reveal how the file was made.
  • Long alphanumeric blobs ending in = are likely base64 — decode them.
  • Text near the end of the output often sits after the image data: prime suspect territory.

Useful local flags

$ strings -n 8 image.png              # only runs of 8+ chars (less noise)
$ strings -e l image.png              # UTF-16LE ("wide") strings
$ strings -t x image.png              # print hex offset of each string
$ strings image.png | grep -i "ctf{"  # hunt the flag format directly

Grepping for the challenge's flag format (CTF{, flag{, HTB{...) is the fastest first move.

Installing locally

Preinstalled on most Linux distributions and macOS (GNU binutils). Otherwise: apt install binutils.

Limitations

  • Only contiguous printable bytes appear: anything encoded, compressed, encrypted or bit-scattered (LSB steganography) is invisible — use zsteg and steghide for those.
  • ASCII-only by default: UTF-16 text needs -e l. And expect false leads — 4-character runs occur by chance in compressed data.

Common CTF patterns

  • The flag in plain text near the end of the file, after the image data.
  • A base64 blob that decodes to the flag, a URL or the next hint.
  • URLs, usernames or passwords for another stage of the challenge (e.g. the passphrase for steghide).