The Khatrimaza-org-mkv Apr 2026
Text ID : 3 Format : UTF‑8 Nothing suspicious at first glance, but MKV is a very flexible format – it can hold , extra subtitle tracks , chapters , and binary blobs . Those are typical places for a CTF flag. 3. Extract everything from the container We will use mkvextract (part of mkvtoolnix ) to dump all tracks and attachments.
key = b's3cr3t_k3y_4_f1ag' data = open('hidden.bin', 'rb').read()
if __name__ == '__main__': if len(sys.argv) != 4: print(f'Usage: sys.argv[0] <input.bin> <key> <output.bin>') sys.exit(1)
out = bytes([b ^ key[i % len(key)] for i, b in enumerate(data)]) The Khatrimaza-org-mkv
Conclusion: the flag is in the video/audio tracks. 5. Deep dive into the suspicious attachment – hidden.bin 5.1 Basic inspection $ file hidden.bin hidden.bin: data
Our job is to that the challenge author has concealed somewhere inside the container. 2. Initial Recon $ file khatrimaza-org.mkv khatrimaza-org.mkv: Matroska data, video (V_MPEG4/ISO/AVC), audio (A_AAC), subtitle (S_TEXT/UTF8), 720p, 30 fps The file is a normal MKV with video, audio, and a subtitle track . Next we get a quick look at the container’s structure:
$ steghide extract -sf hidden.bin Enter passphrase: stegextract: No hidden data found No luck. The string “protected” hints at AES‑CTR or XOR protection. We search for a possible key inside the MKV – maybe hidden in the metadata . Text ID : 3 Format : UTF‑8 Nothing
$ binwalk hidden.bin
# 2. List attachments (if any) $ mkvextract attachments khatrimaza-org.mkv :
2 00:00:03,001 --> 00:00:07,000 Enjoy the movie. Nothing hidden in the subtitles – just a generic welcome message. We quickly glance at them with ffprobe just to be sure there’s nothing weird: Extract everything from the container We will use
Comment: s3cr3t_k3y_4_f1ag That looks like a plausible key. Let’s try XOR‑decrypting hidden.bin with that key. We write a tiny Python script that repeats the key over the file and XORs each byte.
open('payload.bin', 'wb').write(out) print('Done – payload written to payload.bin') Run it:
| File | Size | |---------------------|------| | video.h264 | 79 MiB | | audio.aac | 2 MiB | | subtitles.srt | 1 KB | | Roboto-Regular.ttf | 147 KB | | hidden.bin | 6 KB | 4.1 Subtitles ( subtitles.srt ) $ cat subtitles.srt 1 00:00:00,000 --> 00:00:03,000 Welcome to Khatrimaza!
Challenge category: Forensics / Steganography Difficulty: Medium‑Hard Points: 500 (on a typical 500‑point line) 1. Overview The challenge provides a single file: khatrimaza-org.mkv . The file is a regular‑looking Matroska video container (MKV) – the kind you would normally see on the infamous “Khatrimaza” piracy site.
Text ID : 3 Format : UTF‑8 Nothing suspicious at first glance, but MKV is a very flexible format – it can hold , extra subtitle tracks , chapters , and binary blobs . Those are typical places for a CTF flag. 3. Extract everything from the container We will use mkvextract (part of mkvtoolnix ) to dump all tracks and attachments.
key = b's3cr3t_k3y_4_f1ag' data = open('hidden.bin', 'rb').read()
if __name__ == '__main__': if len(sys.argv) != 4: print(f'Usage: sys.argv[0] <input.bin> <key> <output.bin>') sys.exit(1)
out = bytes([b ^ key[i % len(key)] for i, b in enumerate(data)])
Conclusion: the flag is in the video/audio tracks. 5. Deep dive into the suspicious attachment – hidden.bin 5.1 Basic inspection $ file hidden.bin hidden.bin: data
Our job is to that the challenge author has concealed somewhere inside the container. 2. Initial Recon $ file khatrimaza-org.mkv khatrimaza-org.mkv: Matroska data, video (V_MPEG4/ISO/AVC), audio (A_AAC), subtitle (S_TEXT/UTF8), 720p, 30 fps The file is a normal MKV with video, audio, and a subtitle track . Next we get a quick look at the container’s structure:
$ steghide extract -sf hidden.bin Enter passphrase: stegextract: No hidden data found No luck. The string “protected” hints at AES‑CTR or XOR protection. We search for a possible key inside the MKV – maybe hidden in the metadata .
$ binwalk hidden.bin
# 2. List attachments (if any) $ mkvextract attachments khatrimaza-org.mkv :
2 00:00:03,001 --> 00:00:07,000 Enjoy the movie. Nothing hidden in the subtitles – just a generic welcome message. We quickly glance at them with ffprobe just to be sure there’s nothing weird:
Comment: s3cr3t_k3y_4_f1ag That looks like a plausible key. Let’s try XOR‑decrypting hidden.bin with that key. We write a tiny Python script that repeats the key over the file and XORs each byte.
open('payload.bin', 'wb').write(out) print('Done – payload written to payload.bin') Run it:
| File | Size | |---------------------|------| | video.h264 | 79 MiB | | audio.aac | 2 MiB | | subtitles.srt | 1 KB | | Roboto-Regular.ttf | 147 KB | | hidden.bin | 6 KB | 4.1 Subtitles ( subtitles.srt ) $ cat subtitles.srt 1 00:00:00,000 --> 00:00:03,000 Welcome to Khatrimaza!
Challenge category: Forensics / Steganography Difficulty: Medium‑Hard Points: 500 (on a typical 500‑point line) 1. Overview The challenge provides a single file: khatrimaza-org.mkv . The file is a regular‑looking Matroska video container (MKV) – the kind you would normally see on the infamous “Khatrimaza” piracy site.