Matryoshka doll
This time, we’ll try to solve the Matryoshka doll challenge on picoCTF.
The Description of this challenge says: “Matryoshka dolls are a set of wooden dolls of decreasing size placed one inside another. What’s the final one?”. And there is an Image called dolls.jpg
When you download the image, it is only showing one doll, not dolls how the name of the file suggest. So where are the other dolls. Like a Matryoshka doll, the other dolls (and the flag) are hidden inside this image file.
The tool of choice for this kind of challenge is called binwalk. It looks for files inside other files.
So lets extract all the dolls and the flag out of the dolls.jpg.
binwalk -eM dolls.jpg
Scan Time: 2022-02-07 13:37:02
Target File: /home/dominik/picoCTF/Matryoshka_doll/dolls.jpg
MD5 Checksum: a014c36d8af2652b08c009fc00bb1597
Signatures: 391
DECIMAL HEXADECIMAL DESCRIPTION
--------------------------------------------------------------------------------
0 0x0 PNG image, 594 x 1104, 8-bit/color RGBA, non-interlaced
3226 0xC9A TIFF image data, big-endian, offset of first image directory: 8
272492 0x4286C Zip archive data, at least v2.0 to extract, compressed size: 378956, uncompressed size: 383938, name: base_images/2_c.jpg
651614 0x9F15E End of Zip archive, footer length: 22
Scan Time: 2022-02-07 13:37:03
Target File: /home/dominik/picoCTF/Matryoshka_doll/_dolls.jpg.extracted/base_images/2_c.jpg
MD5 Checksum: f407f8aea8d5f8ffaf8cfd567f063cdd
Signatures: 391
DECIMAL HEXADECIMAL DESCRIPTION
--------------------------------------------------------------------------------
0 0x0 PNG image, 526 x 1106, 8-bit/color RGBA, non-interlaced
3226 0xC9A TIFF image data, big-endian, offset of first image directory: 8
187707 0x2DD3B Zip archive data, at least v2.0 to extract, compressed size: 196043, uncompressed size: 201445, name: base_images/3_c.jpg
383805 0x5DB3D End of Zip archive, footer length: 22
383916 0x5DBAC End of Zip archive, footer length: 22
Scan Time: 2022-02-07 13:37:03
Target File: /home/dominik/picoCTF/Matryoshka_doll/_dolls.jpg.extracted/base_images/_2_c.jpg.extracted/base_images/3_c.jpg
MD5 Checksum: 783ef3f85e2f73120323623e3acd8547
Signatures: 391
DECIMAL HEXADECIMAL DESCRIPTION
--------------------------------------------------------------------------------
0 0x0 PNG image, 428 x 1104, 8-bit/color RGBA, non-interlaced
3226 0xC9A TIFF image data, big-endian, offset of first image directory: 8
123606 0x1E2D6 Zip archive data, at least v2.0 to extract, compressed size: 77651, uncompressed size: 79808, name: base_images/4_c.jpg
201423 0x312CF End of Zip archive, footer length: 22
Scan Time: 2022-02-07 13:37:03
Target File: /home/dominik/picoCTF/Matryoshka_doll/_dolls.jpg.extracted/base_images/_2_c.jpg.extracted/base_images/_3_c.jpg.extracted/base_images/4_c.jpg
MD5 Checksum: 0d871e3f9784f4bf15fb00a790625ac9
Signatures: 391
DECIMAL HEXADECIMAL DESCRIPTION
--------------------------------------------------------------------------------
0 0x0 PNG image, 320 x 768, 8-bit/color RGBA, non-interlaced
3226 0xC9A TIFF image data, big-endian, offset of first image directory: 8
79578 0x136DA Zip archive data, at least v2.0 to extract, compressed size: 64, uncompressed size: 81, name: flag.txt
79786 0x137AA End of Zip archive, footer length: 22
I’ve used two options with the binwalk command. The first option -e
is to extract the files found in given file. The second option -M
is the Matryoshka option used for recursive operation. It scans every file inside the original file for further hidden files.
So we got some nested directories with dolls and one with the flag.txt
in the end.
This was the post for the Challenge picoCTF Matryoshka doll.
Please take a look at my other CTF-WriteUps.