PicoCTF-2021 Writeup
  • README
  • Binary Exploitation
    • Binary Gauntlet 0
    • Binary Gauntlet 1
    • Stonks
    • What's your input?
  • Cryptography
    • Compress and Attack
    • Dachshund Attacks
    • Double DES
    • Easy Peasy
    • It is my Birthday 2
    • It's Not My Fault 1
    • Mini RSA
    • New Caesar
    • New Vignere
    • No Padding, No Problem
    • Pixelated
    • Play Nice
    • Scrambled: RSA
  • Forensics
    • Disk, disk, sleuth!
    • Disk, disk, sleuth! II
    • information
    • MacroHard WeakEdge
    • Matryoshka doll
    • Milkslap
    • Surfing the Waves
    • Trivial Flag Transfer Protocol
    • tunn3l v1s10n
    • Very very very Hidden
    • Weird File
    • Wireshark doo dooo do doo...
    • Wireshark twoo twooo two twoo...
  • Reverse Engineering
    • ARMssembly 0
    • ARMssembly 2
    • ARMssembly 3
    • ARMssembly 4
    • gogo
    • Hurry up! Wait!
    • keygenme-py
    • Let's get dynamic
    • Rolling My Own
    • Shop
    • speeds and feeds
    • Transformation
  • Web Exploitation
    • Ancient History
    • Bithug
    • GET aHEAD
    • It is my Birthday
    • More Cookies
    • Most Cookies
    • Scavenger Hunt
    • Some Assembly Required 1
    • Some Assembly Required 2
    • Some Assembly Required 3
    • Some Assembly Required 4
    • Super Serial
    • Web Gauntlet 2
    • Web Gauntlet 3
    • Who are you?
    • X marks the spot
Powered by GitBook
On this page
  • Problem
  • Solution
  • Flag

Was this helpful?

Edit on GitHub
  1. Forensics

Matryoshka doll

PreviousMacroHard WeakEdgeNextMilkslap

Last updated 2 years ago

Was this helpful?

Problem

Matryoshka dolls are a set of wooden dolls of decreasing size placed one inside another. What's the final one? Image: this

Solution

  1. The problem suggests files places inside of other files, so let's run binwalk dolls.jpg.

    DECIMAL       HEXADECIMAL     DESCRIPTION
    --------------------------------------------------------------------------------
    0             0x0             PNG image, 594 x 1104, 8-bit/color RGBA, non-interlaced
    3226          0xC9A           TIFF image data, big-endian, offset of first image directory: 8
    272492        0x4286C         Zip archive data, at least v2.0 to extract, compressed size: 378956, uncompressed size: 383938, name: base_images/2_c.jpg
    651614        0x9F15E         End of Zip archive, footer length: 22

    Sure enough, there are several files.

  2. We can extract the files by running binwalk --dd='.*' dolls.jpg and then cd _dolls.jpg.extracted.

  3. After some trial and error, the correct solution is to extract the zip file, cd base_images, and then repeat step 3 on 2_c.jpg.

  4. Now that you are in _2_c.jpg.extracted, extract the zip file and repeat step 3.

  5. Repeat the above steps of extracting and binwalking until you end up at this path: _dolls.jpg.extracted/base_images/_2_c.jpg.extracted/base_images/_3_c.jpg.extracted/base_images/_4_c.jpg.extracted/136DA-(1). There is a flag.txt file in this directory that contains the flag.

Flag

picoCTF{336cf6d51c9d9774fd37196c1d7320ff}

Image