Skip to content
Startseite » picoCTF Matryoshka doll writeup

picoCTF Matryoshka doll writeup

Matryoshka doll

This time, we’ll try to solve the Matryoshka doll challenge on picoCTF.

The Description of this challenge says: “Matryoshka dolls are a set of wooden dolls of decreasing size placed one inside another. What’s the final one?”. And there is an Image called dolls.jpg

When you download the image, it is only showing one doll, not dolls how the name of the file suggest. So where are the other dolls. Like a Matryoshka doll, the other dolls (and the flag) are hidden inside this image file.

The tool of choice for this kind of challenge is called binwalk. It looks for files inside other files.

So lets extract all the dolls and the flag out of the dolls.jpg.

binwalk -eM dolls.jpg

Scan Time:     2022-02-07 13:37:02
Target File:   /home/dominik/picoCTF/Matryoshka_doll/dolls.jpg
MD5 Checksum:  a014c36d8af2652b08c009fc00bb1597
Signatures:    391

DECIMAL       HEXADECIMAL     DESCRIPTION
--------------------------------------------------------------------------------
0             0x0             PNG image, 594 x 1104, 8-bit/color RGBA, non-interlaced
3226          0xC9A           TIFF image data, big-endian, offset of first image directory: 8
272492        0x4286C         Zip archive data, at least v2.0 to extract, compressed size: 378956, uncompressed size: 383938, name: base_images/2_c.jpg
651614        0x9F15E         End of Zip archive, footer length: 22


Scan Time:     2022-02-07 13:37:03
Target File:   /home/dominik/picoCTF/Matryoshka_doll/_dolls.jpg.extracted/base_images/2_c.jpg
MD5 Checksum:  f407f8aea8d5f8ffaf8cfd567f063cdd
Signatures:    391

DECIMAL       HEXADECIMAL     DESCRIPTION
--------------------------------------------------------------------------------
0             0x0             PNG image, 526 x 1106, 8-bit/color RGBA, non-interlaced
3226          0xC9A           TIFF image data, big-endian, offset of first image directory: 8
187707        0x2DD3B         Zip archive data, at least v2.0 to extract, compressed size: 196043, uncompressed size: 201445, name: base_images/3_c.jpg
383805        0x5DB3D         End of Zip archive, footer length: 22
383916        0x5DBAC         End of Zip archive, footer length: 22


Scan Time:     2022-02-07 13:37:03
Target File:   /home/dominik/picoCTF/Matryoshka_doll/_dolls.jpg.extracted/base_images/_2_c.jpg.extracted/base_images/3_c.jpg
MD5 Checksum:  783ef3f85e2f73120323623e3acd8547
Signatures:    391

DECIMAL       HEXADECIMAL     DESCRIPTION
--------------------------------------------------------------------------------
0             0x0             PNG image, 428 x 1104, 8-bit/color RGBA, non-interlaced
3226          0xC9A           TIFF image data, big-endian, offset of first image directory: 8
123606        0x1E2D6         Zip archive data, at least v2.0 to extract, compressed size: 77651, uncompressed size: 79808, name: base_images/4_c.jpg
201423        0x312CF         End of Zip archive, footer length: 22


Scan Time:     2022-02-07 13:37:03
Target File:   /home/dominik/picoCTF/Matryoshka_doll/_dolls.jpg.extracted/base_images/_2_c.jpg.extracted/base_images/_3_c.jpg.extracted/base_images/4_c.jpg
MD5 Checksum:  0d871e3f9784f4bf15fb00a790625ac9
Signatures:    391

DECIMAL       HEXADECIMAL     DESCRIPTION
--------------------------------------------------------------------------------
0             0x0             PNG image, 320 x 768, 8-bit/color RGBA, non-interlaced
3226          0xC9A           TIFF image data, big-endian, offset of first image directory: 8
79578         0x136DA         Zip archive data, at least v2.0 to extract, compressed size: 64, uncompressed size: 81, name: flag.txt
79786         0x137AA         End of Zip archive, footer length: 22

I’ve used two options with the binwalk command. The first option -e is to extract the files found in given file. The second option -M is the Matryoshka option used for recursive operation. It scans every file inside the original file for further hidden files.

So we got some nested directories with dolls and one with the flag.txt in the end.

This was the post for the Challenge picoCTF Matryoshka doll.

Please take a look at my other CTF-WriteUps.

Leave a Reply

Your email address will not be published. Required fields are marked *