Description
Matryoshka dolls are nested -- can you extract the flag from this nested image? Download dolls.jpg.
Setup
Download dolls.jpg.
Solution
- Step 1Scan for embedded files with binwalkRun binwalk on dolls.jpg. It will report additional file signatures embedded inside the JPEG -- specifically nested PNG files and ZIP archives. Extract everything with the --dd flag.binwalk dolls.jpgbinwalk --dd='.*' dolls.jpg
Learn more
binwalk scans a binary file for known file format magic bytes (signatures). A JPEG file starts with bytes
FF D8 FF; a ZIP file starts with50 4B 03 04; a PNG with89 50 4E 47. binwalk identifies these signatures at any offset, revealing files hidden after or within the primary file.The
--dd='.*'flag tells binwalk to extract all recognized signatures to a directory named_dolls.jpg.extracted/. Without this flag, binwalk only reports offsets but does not extract. - Step 2Repeat extraction on each nested imageNavigate into the extracted directory and find the nested image file. Run binwalk --dd='.*' on it. Repeat this process four times total -- each image contains another image inside it. After the fourth extraction, you will find flag.txt.cd _dolls.jpg.extracted/binwalk --dd='.*' base_images/2_c.jpgbinwalk --dd='.*' base_images/3_c.jpgbinwalk --dd='.*' base_images/4_c.jpgcat flag.txt
Learn more
This is a steganography-by-polyglot technique: a file that is simultaneously a valid JPEG (the outer image) and a ZIP archive (containing the inner image). Most image viewers display only the JPEG portion and ignore the trailing data. The challenge nests four layers deep, mimicking a Matryoshka (Russian nesting doll).
The
base_images/directory convention comes from binwalk's extraction naming -- it creates subdirectories based on the offset where the nested file was found. The finalflag.txtappears as a plain text file inside the innermost archive.
Flag
picoCTF{...}
binwalk detects file format magic bytes inside any binary -- files can be nested arbitrarily and binwalk will find them all.