For example, we have picture 123.jgp. To analyze it and find the flag hidden in the picture, we must first understand some knowledge about the picture format. Here is an example of the picture in jpg format, and google it for pictures in other formats.
jpg image format knowledge:
The first 2 bytes of the jpg format file are the image start SOI (Start of Image, SOI) is FF D8, the next 2 bytes are the JFIF application data block APPO (JFIF application segment) is FF E0, and the last 2 bytes are the image. The end-of-file marker EOI (end-of-file) is FF D9. Use the hexeditor tool to open a picture under kali as shown below:
Armed with this knowledge, we can isolate other files/information hidden in an image.
It can be seen that there are other files hidden in the picture. Or use the foremost tool to automatically separate pictures and other information, the tool command: foremost 123.jpg, at this time, an output*** folder will be generated in the current directory.
OK, open the rar folder, the content of the txt file inside is the hidden flag.
Extension: The principle of picture horse is to connect a horse file and a picture in binary mode. The picture viewer will ignore the content after the FF D9 terminator, so the picture horse can also be opened normally, but the picture contains Silly.