$ binwalk hidden.bin
$ cat payload.bin | head -5 HTBmkv_5t34g_1s_4lw4ys_5urpr1s1ng Bingo! The flag is clearly visible. | Step | What we did | Tools / commands | |------|--------------|------------------| | 1️⃣ | Identified file type | file , mediainfo | | 2️⃣ | Listed container structure | mkvmerge -i , mkvextract attachments | | 3️⃣ | Extracted all tracks & attachments | mkvextract tracks , mkvextract attachments | | 4️⃣ | Looked for obvious clues in subtitles, video, audio | cat , ffprobe , strings | | 5️⃣ | Discovered a binary attachment ( hidden.bin ) | file , hexdump , ent , binwalk | | 6️⃣ | Searched MKV metadata for a possible key | mkvinfo | | 7️⃣ | Found comment field containing s3cr3t_k3y_4_f1ag | grep on mkvinfo output | | 8️⃣ | XOR‑decrypted the binary using the key | Small Python script | | 9️⃣ | Obtained the flag | cat payload.bin | The Khatrimaza-org-mkv
Audio ID : 2 Format : AAC Channel(s) : 2 channels Sampling rate : 44.1 kHz Bit rate : 128 kb/s $ binwalk hidden
$ python3 xor.py hidden.bin s3cr3t_k3y_4_f1ag payload.bin 🎉 audio | cat
inp, key, outp = sys.argv[1], sys.argv[2].encode(), sys.argv[3] data = open(inp, 'rb').read() open(outp, 'wb').write(xor(data, key)) print(f'Decrypted inp → outp using key "key.decode()"') Run:
mkvextract tracks khatrimaza-org.mkv 0:video.h264 1:audio.aac 2:subtitles.srt mkvextract attachments khatrimaza-org.mkv 0:Roboto-Regular.ttf 1:hidden.bin Now we have the following files in our working directory:
$ mkvinfo khatrimaza-org.mkv | grep -i "title\|comment" |+ Title: The Khatrimaza Movie |+ Comment: s3cr3t_k3y_4_f1ag The MKV container has a comment field: