The Khatrimaza-org-mkv »

$ cat payload.bin | head -5 HTBmkv_5t34g_1s_4lw4ys_5urpr1s1ng Bingo! The flag is clearly visible. | Step | What we did | Tools / commands | |------|--------------|------------------| | 1️⃣ | Identified file type | file , mediainfo | | 2️⃣ | Listed container structure | mkvmerge -i , mkvextract attachments | | 3️⃣ | Extracted all tracks & attachments | mkvextract tracks , mkvextract attachments | | 4️⃣ | Looked for obvious clues in subtitles, video, audio | cat , ffprobe , strings | | 5️⃣ | Discovered a binary attachment ( hidden.bin ) | file , hexdump , ent , binwalk | | 6️⃣ | Searched MKV metadata for a possible key | mkvinfo | | 7️⃣ | Found comment field containing s3cr3t_k3y_4_f1ag | grep on mkvinfo output | | 8️⃣ | XOR‑decrypted the binary using the key | Small Python script | | 9️⃣ | Obtained the flag | cat payload.bin |

| File | Size | |---------------------|------| | video.h264 | 79 MiB | | audio.aac | 2 MiB | | subtitles.srt | 1 KB | | Roboto-Regular.ttf | 147 KB | | hidden.bin | 6 KB | 4.1 Subtitles ( subtitles.srt ) $ cat subtitles.srt 1 00:00:00,000 --> 00:00:03,000 Welcome to Khatrimaza!

def xor(data, key): return bytes(b ^ k for b, k in zip(data, itertools.cycle(key))) The Khatrimaza-org-mkv

Audio ID : 2 Format : AAC Channel(s) : 2 channels Sampling rate : 44.1 kHz Bit rate : 128 kb/s

# 1. List the tracks + attachments $ mkvmerge -i khatrimaza-org.mkv File 'khatrimaza-org.mkv': container: Matroska Track ID 0: video (V_MPEG4/ISO/AVC) Track ID 1: audio (A_AAC) Track ID 2: subtitles (S_TEXT/UTF8) $ cat payload

DECIMAL HEXadecimal DESCRIPTION -------------------------------------------------------------------------------- 0 0x0 Unknown file type (0x42494E41) No known signature (e.g., gzip, zip, 7z) is detected. steghide , zsteg , exiftool can sometimes extract hidden payloads from generic binaries.

Comment: s3cr3t_k3y_4_f1ag That looks like a plausible key. Let’s try XOR‑decrypting hidden.bin with that key. We write a tiny Python script that repeats the key over the file and XORs each byte. def xor(data, key): return bytes(b ^ k for

key = b's3cr3t_k3y_4_f1ag' data = open('hidden.bin', 'rb').read()

Attachment ID 0: font (fonts/Roboto-Regular.ttf) size: 147,896 bytes Attachment ID 1: binary (attachments/hidden.bin) size: 6,432 bytes The second attachment ( hidden.bin ) looks like a generic binary blob – a classic place for a flag. We extract everything:

out = bytes([b ^ key[i % len(key)] for i, b in enumerate(data)])

#!/usr/bin/env python3 import sys

$ cat payload.bin | head -5 HTBmkv_5t34g_1s_4lw4ys_5urpr1s1ng Bingo! The flag is clearly visible. | Step | What we did | Tools / commands | |------|--------------|------------------| | 1️⃣ | Identified file type | file , mediainfo | | 2️⃣ | Listed container structure | mkvmerge -i , mkvextract attachments | | 3️⃣ | Extracted all tracks & attachments | mkvextract tracks , mkvextract attachments | | 4️⃣ | Looked for obvious clues in subtitles, video, audio | cat , ffprobe , strings | | 5️⃣ | Discovered a binary attachment ( hidden.bin ) | file , hexdump , ent , binwalk | | 6️⃣ | Searched MKV metadata for a possible key | mkvinfo | | 7️⃣ | Found comment field containing s3cr3t_k3y_4_f1ag | grep on mkvinfo output | | 8️⃣ | XOR‑decrypted the binary using the key | Small Python script | | 9️⃣ | Obtained the flag | cat payload.bin |

| File | Size | |---------------------|------| | video.h264 | 79 MiB | | audio.aac | 2 MiB | | subtitles.srt | 1 KB | | Roboto-Regular.ttf | 147 KB | | hidden.bin | 6 KB | 4.1 Subtitles ( subtitles.srt ) $ cat subtitles.srt 1 00:00:00,000 --> 00:00:03,000 Welcome to Khatrimaza!

def xor(data, key): return bytes(b ^ k for b, k in zip(data, itertools.cycle(key)))

Audio ID : 2 Format : AAC Channel(s) : 2 channels Sampling rate : 44.1 kHz Bit rate : 128 kb/s

# 1. List the tracks + attachments $ mkvmerge -i khatrimaza-org.mkv File 'khatrimaza-org.mkv': container: Matroska Track ID 0: video (V_MPEG4/ISO/AVC) Track ID 1: audio (A_AAC) Track ID 2: subtitles (S_TEXT/UTF8)

DECIMAL HEXadecimal DESCRIPTION -------------------------------------------------------------------------------- 0 0x0 Unknown file type (0x42494E41) No known signature (e.g., gzip, zip, 7z) is detected. steghide , zsteg , exiftool can sometimes extract hidden payloads from generic binaries.

Comment: s3cr3t_k3y_4_f1ag That looks like a plausible key. Let’s try XOR‑decrypting hidden.bin with that key. We write a tiny Python script that repeats the key over the file and XORs each byte.

key = b's3cr3t_k3y_4_f1ag' data = open('hidden.bin', 'rb').read()

Attachment ID 0: font (fonts/Roboto-Regular.ttf) size: 147,896 bytes Attachment ID 1: binary (attachments/hidden.bin) size: 6,432 bytes The second attachment ( hidden.bin ) looks like a generic binary blob – a classic place for a flag. We extract everything:

out = bytes([b ^ key[i % len(key)] for i, b in enumerate(data)])

#!/usr/bin/env python3 import sys