picoCTF Matryoshka Doll Write Up

Details:

Points: 30

Jeopardy style CTF

Category: Forensics

Comments: Matryoshka dolls are a set of wooden dolls of decreasing size placed one inside another. What's the final one?

Write up:

My first step here was to binwalk the image provided, I saw that there was data so I extracted this:

binwalk -D=".*" dolls.jpg 

DECIMAL       HEXADECIMAL     DESCRIPTION
--------------------------------------------------------------------------------
0             0x0             PNG image, 594 x 1104, 8-bit/color RGBA, non-interlaced
3226          0xC9A           TIFF image data, big-endian, offset of first image directory: 8
272492        0x4286C         Zip archive data, at least v2.0 to extract, compressed size: 378954, uncompressed size: 383940, name: base_images/2_c.jpg
651612        0x9F15C         End of Zip archive, footer length: 22

I then extracted the zip file and extracted the image inside of there:

binwalk -D=".*" 2_c.jpg    

DECIMAL       HEXADECIMAL     DESCRIPTION
--------------------------------------------------------------------------------
0             0x0             PNG image, 526 x 1106, 8-bit/color RGBA, non-interlaced
3226          0xC9A           TIFF image data, big-endian, offset of first image directory: 8
187707        0x2DD3B         Zip archive data, at least v2.0 to extract, compressed size: 196045, uncompressed size: 201447, name: base_images/3_c.jpg
383807        0x5DB3F         End of Zip archive, footer length: 22
383918        0x5DBAE         End of Zip archive, footer length: 22

I then had to do this 2 more times before I found the flag.txt which when cat'ed gave me the flag:

cat flag.txt            
picoCTF{e3f378fe6c1ea7f6bc5ac2c3d6801c1f}