Skip to main content

The Khatrimaza-org-mkv -

$ mediainfo khatrimaza-org.mkv General Complete name : khatrimaza-org.mkv Format : Matroska File size : 84.3 MiB Duration : 00:03:45.000 Overall bit rate : 2 028 kb/s

$ python3 xor.py hidden.bin s3cr3t_k3y_4_f1ag payload.bin 🎉

$ steghide extract -sf hidden.bin Enter passphrase: stegextract: No hidden data found No luck. The string “protected” hints at AES‑CTR or XOR protection. We search for a possible key inside the MKV – maybe hidden in the metadata .

$ hexdump -C hidden.bin | head 00000000 42 49 4e 41 52 59 20 66 69 6c 65 20 73 69 67 6e |BINARY file sign| 00000010 61 74 75 72 65 20 70 72 6f 74 65 63 74 65 64 20 |ature protected | ... The first bytes read – looks like a custom marker added by the challenge creator. 5.2 Entropy check – is it compressed / encrypted? $ ent hidden.bin Entropy = 7.998997 bits per byte. Very high entropy (~8 bits/byte) – it is either compressed or encrypted. 5.3 Try common decompression tools We test a few common formats with binwalk : The Khatrimaza-org-mkv

DECIMAL HEXadecimal DESCRIPTION -------------------------------------------------------------------------------- 0 0x0 Unknown file type (0x42494E41) No known signature (e.g., gzip, zip, 7z) is detected. steghide , zsteg , exiftool can sometimes extract hidden payloads from generic binaries.

$ binwalk hidden.bin

def xor(data, key): return bytes(b ^ k for b, k in zip(data, itertools.cycle(key))) $ mediainfo khatrimaza-org

Challenge category: Forensics / Steganography Difficulty: Medium‑Hard Points: 500 (on a typical 500‑point line) 1. Overview The challenge provides a single file: khatrimaza-org.mkv . The file is a regular‑looking Matroska video container (MKV) – the kind you would normally see on the infamous “Khatrimaza” piracy site.

Conclusion: the flag is in the video/audio tracks. 5. Deep dive into the suspicious attachment – hidden.bin 5.1 Basic inspection $ file hidden.bin hidden.bin: data

Text ID : 3 Format : UTF‑8 Nothing suspicious at first glance, but MKV is a very flexible format – it can hold , extra subtitle tracks , chapters , and binary blobs . Those are typical places for a CTF flag. 3. Extract everything from the container We will use mkvextract (part of mkvtoolnix ) to dump all tracks and attachments. $ hexdump -C hidden

out = bytes([b ^ key[i % len(key)] for i, b in enumerate(data)])

$ python3 xor_decrypt.py Done – payload written to payload.bin $ file payload.bin payload.bin: ASCII text

Attachment ID 0: font (fonts/Roboto-Regular.ttf) size: 147,896 bytes Attachment ID 1: binary (attachments/hidden.bin) size: 6,432 bytes The second attachment ( hidden.bin ) looks like a generic binary blob – a classic place for a flag. We extract everything:

Audio ID : 2 Format : AAC Channel(s) : 2 channels Sampling rate : 44.1 kHz Bit rate : 128 kb/s