For this challenge we get a hint saying that the flag is hidden inside the Penguin, which refers to the Tux picture.

Linux Tux image given in the challenge

By executing the file command on the picture we get the following output

$ file Tux.jpg
Tux.jpg: JPEG image data, JFIF standard 1.01, aspect ratio, density 1x1, segment length 16, comment: "ICAgICAgUGFzc3dvcmQ6IExpbnV4MTIzNDUK", baseline, precision 8, 196x216, components 3

Where the comment string ICAgICAgUGFzc3dvcmQ6IExpbnV4MTIzNDUK could possibly be a base64 encoded string

$ base64 -d <<<ICAgICAgUGFzc3dvcmQ6IExpbnV4MTIzNDUK
      Password: Linux12345

As suspected the decoded string gives us the password Linux12345 which we will probably use in the future.

Since exiftool and strings don’t give us any more information, another useful tool to use is binwalk, which essentially checks the file for possible embedded files by matching magic number bytes.

$ binwalk Tux.jpg 

DECIMAL       HEXADECIMAL     DESCRIPTION
--------------------------------------------------------------------------------
0             0x0             JPEG image data, JFIF standard 1.01
5488          0x1570          Zip archive data, encrypted at least v1.0 to extract, compressed size: 39, uncompressed size: 27, name: flag
5679          0x162F          End of Zip archive, footer length: 22

As we can see there is an embedded zip file in the image. We can extract the zip file using binwalk and the -e (extract) flag.

$ binwalk -e Tux.jpg

DECIMAL       HEXADECIMAL     DESCRIPTION
--------------------------------------------------------------------------------
0             0x0             JPEG image data, JFIF standard 1.01

WARNING: Extractor.execute failed to run external extractor 'jar xvf '%e'': [Errno 2] No such file or directory: 'jar', 'jar xvf '%e'' might not be installed correctly
5488          0x1570          Zip archive data, encrypted at least v1.0 to extract, compressed size: 39, uncompressed size: 27, name: flag
5679          0x162F          End of Zip archive, footer length: 22


$ ls _Tux.jpg.extracted
1570.zip

This gave us a zip file called 1570.zip, by trying to unzip the file we are prompted to give a password that should be the Linux12345 password that we found earlier.

$ unzip 1570.zip
Archive:  1570.zip
[1570.zip] flag password:
 extracting: flag

$ cat flag
CTFlearn{Linux_Is_Awesome}

And we successfully found extracted a flag file with the flag CTFlearn{Linux_Is_Awesome}