$ mkvinfo khatrimaza-org.mkv | grep -i "title\|comment" |+ Title: The Khatrimaza Movie |+ Comment: s3cr3t_k3y_4_f1ag The MKV container has a comment field:
# 1. List the tracks + attachments $ mkvmerge -i khatrimaza-org.mkv File 'khatrimaza-org.mkv': container: Matroska Track ID 0: video (V_MPEG4/ISO/AVC) Track ID 1: audio (A_AAC) Track ID 2: subtitles (S_TEXT/UTF8)
Text ID : 3 Format : UTF‑8 Nothing suspicious at first glance, but MKV is a very flexible format – it can hold , extra subtitle tracks , chapters , and binary blobs . Those are typical places for a CTF flag. 3. Extract everything from the container We will use mkvextract (part of mkvtoolnix ) to dump all tracks and attachments. The Khatrimaza-org-mkv
open('payload.bin', 'wb').write(out) print('Done – payload written to payload.bin') Run it:
Video ID : 1 Format : AVC Format/Info : Advanced Video Coding Width : 1 280 pixels Height : 720 pixels Display aspect ratio : 16:9 Frame rate : 30.000 FPS Bit rate : 1 600 kb/s $ mkvinfo khatrimaza-org
ffprobe -show_streams video.h264 ffprobe -show_streams audio.aac Both streams look clean (no extra data or unusual codec parameters). We also run strings on them, but no flag‑like patterns appear.
key = b's3cr3t_k3y_4_f1ag' data = open('hidden.bin', 'rb').read() We also run strings on them, but no
Attachment ID 0: font (fonts/Roboto-Regular.ttf) size: 147,896 bytes Attachment ID 1: binary (attachments/hidden.bin) size: 6,432 bytes The second attachment ( hidden.bin ) looks like a generic binary blob – a classic place for a flag. We extract everything: