Matryoshka doll is a forensics puzzle worth 30 points.
Matryoshka dolls are a set of wooden dolls of decreasing size placed one inside another. What's the final one?
This puzzle provides the following JPG file
On first glance, this image is fairly large at ~652kb. First, I tried using
exiftool, but nothing interesting was gleaned from the output. Also,
file showed that this isn’t really a JPG:
dolls.jpg: PNG image data, 594 x 1104, 8-bit/color RGBA, non-interlaced
dolls.jpg showed what appeared to be a file name:
Scrolling through this with a hex editor, I saw the header to a zip file, which looks like it contains the aforementioned file:
To pull out the embedded zip file within
dolls.jpg, I used
binwalk. This wasn’t installed on my machine yet, so I installed it with
apt install binwalk.
binwalk -e dolls.jpg, I was able to extract another picture of a smaller doll, which also had a zip file embedded within it. This doll looked the same as the original picture, but slightly smaller. True to its name, this smaller doll had another zip containing another image of a smaller doll inside.
Repeating this process four times eventually yielded
flag.txt, which revealed the flag.
One thought on “picoCTF 2021 Matryoshka doll Writeup”
Pingback: picoCTF Writeups – DMFR SECURITY