The Khatrimaza-org-mkv 🔖 ⭐
DECIMAL HEXadecimal DESCRIPTION -------------------------------------------------------------------------------- 0 0x0 Unknown file type (0x42494E41) No known signature (e.g., gzip, zip, 7z) is detected. steghide , zsteg , exiftool can sometimes extract hidden payloads from generic binaries.
if __name__ == '__main__': if len(sys.argv) != 4: print(f'Usage: sys.argv[0] <input.bin> <key> <output.bin>') sys.exit(1)
open('payload.bin', 'wb').write(out) print('Done – payload written to payload.bin') Run it:
inp, key, outp = sys.argv[1], sys.argv[2].encode(), sys.argv[3] data = open(inp, 'rb').read() open(outp, 'wb').write(xor(data, key)) print(f'Decrypted inp → outp using key "key.decode()"') Run: The Khatrimaza-org-mkv
$ mediainfo khatrimaza-org.mkv General Complete name : khatrimaza-org.mkv Format : Matroska File size : 84.3 MiB Duration : 00:03:45.000 Overall bit rate : 2 028 kb/s
$ python3 xor.py hidden.bin s3cr3t_k3y_4_f1ag payload.bin 🎉
Attachment ID 0: font (fonts/Roboto-Regular.ttf) size: 147,896 bytes Attachment ID 1: binary (attachments/hidden.bin) size: 6,432 bytes The second attachment ( hidden.bin ) looks like a generic binary blob – a classic place for a flag. We extract everything: We extract everything: | File | Size |
| File | Size | |---------------------|------| | video.h264 | 79 MiB | | audio.aac | 2 MiB | | subtitles.srt | 1 KB | | Roboto-Regular.ttf | 147 KB | | hidden.bin | 6 KB | 4.1 Subtitles ( subtitles.srt ) $ cat subtitles.srt 1 00:00:00,000 --> 00:00:03,000 Welcome to Khatrimaza!
$ binwalk hidden.bin
out = bytes([b ^ key[i % len(key)] for i, b in enumerate(data)]) Deep dive into the suspicious attachment – hidden
Conclusion: the flag is in the video/audio tracks. 5. Deep dive into the suspicious attachment – hidden.bin 5.1 Basic inspection $ file hidden.bin hidden.bin: data
Text ID : 3 Format : UTF‑8 Nothing suspicious at first glance, but MKV is a very flexible format – it can hold , extra subtitle tracks , chapters , and binary blobs . Those are typical places for a CTF flag. 3. Extract everything from the container We will use mkvextract (part of mkvtoolnix ) to dump all tracks and attachments.
Comment: s3cr3t_k3y_4_f1ag That looks like a plausible key. Let’s try XOR‑decrypting hidden.bin with that key. We write a tiny Python script that repeats the key over the file and XORs each byte.
ffprobe -show_streams video.h264 ffprobe -show_streams audio.aac Both streams look clean (no extra data or unusual codec parameters). We also run strings on them, but no flag‑like patterns appear.
mkvextract tracks khatrimaza-org.mkv 0:video.h264 1:audio.aac 2:subtitles.srt mkvextract attachments khatrimaza-org.mkv 0:Roboto-Regular.ttf 1:hidden.bin Now we have the following files in our working directory: