picoCTF 2021 Matryoshka doll Writeup

Matryoshka doll is a forensics puzzle worth 30 points.


Matryoshka dolls are a set of wooden dolls of decreasing size placed one inside another. What's the final one?

This puzzle provides the following JPG file dolls.jpg


On first glance, this image is fairly large at ~652kb. First, I tried using exiftool, but nothing interesting was gleaned from the output. Also, file showed that this isn’t really a JPG:

dolls.jpg: PNG image data, 594 x 1104, 8-bit/color RGBA, non-interlaced

Running strings against dolls.jpg showed what appeared to be a file name: base_images/2_c.jpg

Scrolling through this with a hex editor, I saw the header to a zip file, which looks like it contains the aforementioned file:

To pull out the embedded zip file within dolls.jpg, I used binwalk. This wasn’t installed on my machine yet, so I installed it with apt install binwalk.

Using binwalk -e dolls.jpg, I was able to extract another picture of a smaller doll, which also had a zip file embedded within it. This doll looked the same as the original picture, but slightly smaller. True to its name, this smaller doll had another zip containing another image of a smaller doll inside.

Repeating this process four times eventually yielded flag.txt, which revealed the flag.

One thought on “picoCTF 2021 Matryoshka doll Writeup

  1. Pingback: picoCTF Writeups – DMFR SECURITY

Leave a Reply

Fill in your details below or click an icon to log in:

WordPress.com Logo

You are commenting using your WordPress.com account. Log Out /  Change )

Twitter picture

You are commenting using your Twitter account. Log Out /  Change )

Facebook photo

You are commenting using your Facebook account. Log Out /  Change )

Connecting to %s