## Solution 1: binwalk ```shell ┌──(kali㉿kali)-[~/code/_dolls.jpg.extracted] └─$ binwalk Binwalk v2.3.3 Craig Heffner, ReFirmLabs https://github.com/ReFirmLabs/binwalk Usage: binwalk [OPTIONS] [FILE1] [FILE2] [FILE3] ... Disassembly Scan Options: -Y, --disasm Identify the CPU architecture of a file using the capstone disassembler -T, --minsn=<int> Minimum number of consecutive instructions to be considered valid (default: 500) -k, --continue Don't stop at the first match Signature Scan Options: -B, --signature Scan target file(s) for common file signatures -R, --raw=<str> Scan target file(s) for the specified sequence of bytes -A, --opcodes Scan target file(s) for common executable opcode signatures -m, --magic=<file> Specify a custom magic file to use -b, --dumb Disable smart signature keywords -I, --invalid Show results marked as invalid -x, --exclude=<str> Exclude results that match <str> -y, --include=<str> Only show results that match <str> Extraction Options: -e, --extract Automatically extract known file types -D, --dd=<type[:ext[:cmd]]> Extract <type> signatures (regular expression), give the files an extension of <ext>, and execute <cmd> -M, --matryoshka Recursively scan extracted files -d, --depth=<int> Limit matryoshka recursion depth (default: 8 levels deep) -C, --directory=<str> Extract files/folders to a custom directory (default: current working directory) -j, --size=<int> Limit the size of each extracted file -n, --count=<int> Limit the number of extracted files -0, --run-as=<str> Execute external extraction utilities with the specified user's privileges -1, --preserve-symlinks Do not sanitize extracted symlinks that point outside the extraction directory (dangerous) -r, --rm Delete carved files after extraction -z, --carve Carve data from files, but don't execute extraction utilities -V, --subdirs Extract into sub-directories named by the offset Entropy Options: -E, --entropy Calculate file entropy -F, --fast Use faster, but less detailed, entropy analysis -J, --save Save plot as a PNG -Q, --nlegend Omit the legend from the entropy plot graph -N, --nplot Do not generate an entropy plot graph -H, --high=<float> Set the rising edge entropy trigger threshold (default: 0.95) -L, --low=<float> Set the falling edge entropy trigger threshold (default: 0.85) Binary Diffing Options: -W, --hexdump Perform a hexdump / diff of a file or files -G, --green Only show lines containing bytes that are the same among all files -i, --red Only show lines containing bytes that are different among all files -U, --blue Only show lines containing bytes that are different among some files -u, --similar Only display lines that are the same between all files -w, --terse Diff all files, but only display a hex dump of the first file Raw Compression Options: -X, --deflate Scan for raw deflate compression streams -Z, --lzma Scan for raw LZMA compression streams -P, --partial Perform a superficial, but faster, scan -S, --stop Stop after the first result General Options: -l, --length=<int> Number of bytes to scan -o, --offset=<int> Start scan at this file offset -O, --base=<int> Add a base address to all printed offsets -K, --block=<int> Set file block size -g, --swap=<int> Reverse every n bytes before scanning -f, --log=<file> Log results to file -c, --csv Log results to file in CSV format -t, --term Format output to fit the terminal window -q, --quiet Suppress output to stdout -v, --verbose Enable verbose output -h, --help Show help output -a, --finclude=<str> Only scan files whose names match this regex -p, --fexclude=<str> Do not scan files whose names match this regex -s, --status=<int> Enable the status server on the specified port ┌──(kali㉿kali)-[~/code/_dolls.jpg.extracted] └─$ binwalk -e dolls.jpg General Error: Cannot open file dolls.jpg (CWD: /home/kali/.local/share/Trash/files/_dolls.jpg.extracted) : [Errno 2] No such file or directory: 'dolls.jpg' ┌──(kali㉿kali)-[~/code/_dolls.jpg.extracted] └─$ cd ┌──(kali㉿kali)-[~] └─$ cd code ┌──(kali㉿kali)-[~/code] └─$ binwalk -e dolls.jpg DECIMAL HEXADECIMAL DESCRIPTION -------------------------------------------------------------------------------- 0 0x0 PNG image, 594 x 1104, 8-bit/color RGBA, non-interlaced 3226 0xC9A TIFF image data, big-endian, offset of first image directory: 8 272492 0x4286C Zip archive data, at least v2.0 to extract, compressed size: 378956, uncompressed size: 383938, name: base_images/2_c.jpg 651614 0x9F15E End of Zip archive, footer length: 22 ┌──(kali㉿kali)-[~/code] └─$ cd _dolls.jpg.extracted ┌──(kali㉿kali)-[~/code/_dolls.jpg.extracted] └─$ ls 4286C.zip base_images ┌──(kali㉿kali)-[~/code/_dolls.jpg.extracted] └─$ cd base_images ┌──(kali㉿kali)-[~/code/_dolls.jpg.extracted/base_images] └─$ ls 2_c.jpg ┌──(kali㉿kali)-[~/code/_dolls.jpg.extracted/base_images] └─$ binwalk 2_c.jpg DECIMAL HEXADECIMAL DESCRIPTION -------------------------------------------------------------------------------- 0 0x0 PNG image, 526 x 1106, 8-bit/color RGBA, non-interlaced 3226 0xC9A TIFF image data, big-endian, offset of first image directory: 8 187707 0x2DD3B Zip archive data, at least v2.0 to extract, compressed size: 196043, uncompressed size: 201445, name: base_images/3_c.jpg 383805 0x5DB3D End of Zip archive, footer length: 22 383916 0x5DBAC End of Zip archive, footer length: 22 ┌──(kali㉿kali)-[~/code/_dolls.jpg.extracted/base_images] └─$ binwalk -e 2_c.jpg DECIMAL HEXADECIMAL DESCRIPTION -------------------------------------------------------------------------------- 0 0x0 PNG image, 526 x 1106, 8-bit/color RGBA, non-interlaced 3226 0xC9A TIFF image data, big-endian, offset of first image directory: 8 187707 0x2DD3B Zip archive data, at least v2.0 to extract, compressed size: 196043, uncompressed size: 201445, name: base_images/3_c.jpg 383805 0x5DB3D End of Zip archive, footer length: 22 383916 0x5DBAC End of Zip archive, footer length: 22 ┌──(kali㉿kali)-[~/code/_dolls.jpg.extracted/base_images] └─$ ls 2_c.jpg _2_c.jpg.extracted ┌──(kali㉿kali)-[~/code/_dolls.jpg.extracted/base_images] └─$ cd _2_c.jpg.extracted ┌──(kali㉿kali)-[~/code/_dolls.jpg.extracted/base_images/_2_c.jpg.extracted] └─$ ls 2DD3B.zip base_images ┌──(kali㉿kali)-[~/code/_dolls.jpg.extracted/base_images/_2_c.jpg.extracted] └─$ cd base_images ┌──(kali㉿kali)-[~/…/_dolls.jpg.extracted/base_images/_2_c.jpg.extracted/base_images] └─$ ls 3_c.jpg ┌──(kali㉿kali)-[~/…/_dolls.jpg.extracted/base_images/_2_c.jpg.extracted/base_images] └─$ binwalk 3_c.jpg DECIMAL HEXADECIMAL DESCRIPTION -------------------------------------------------------------------------------- 0 0x0 PNG image, 428 x 1104, 8-bit/color RGBA, non-interlaced 3226 0xC9A TIFF image data, big-endian, offset of first image directory: 8 123606 0x1E2D6 Zip archive data, at least v2.0 to extract, compressed size: 77651, uncompressed size: 79808, name: base_images/4_c.jpg 201423 0x312CF End of Zip archive, footer length: 22 ┌──(kali㉿kali)-[~/…/_dolls.jpg.extracted/base_images/_2_c.jpg.extracted/base_images] └─$ binwalk -e 3_c.jpg DECIMAL HEXADECIMAL DESCRIPTION -------------------------------------------------------------------------------- 0 0x0 PNG image, 428 x 1104, 8-bit/color RGBA, non-interlaced 3226 0xC9A TIFF image data, big-endian, offset of first image directory: 8 123606 0x1E2D6 Zip archive data, at least v2.0 to extract, compressed size: 77651, uncompressed size: 79808, name: base_images/4_c.jpg 201423 0x312CF End of Zip archive, footer length: 22 ┌──(kali㉿kali)-[~/…/_dolls.jpg.extracted/base_images/_2_c.jpg.extracted/base_images] └─$ ls 3_c.jpg _3_c.jpg.extracted ┌──(kali㉿kali)-[~/…/_dolls.jpg.extracted/base_images/_2_c.jpg.extracted/base_images] └─$ cd _3_c.jpg.extracted ┌──(kali㉿kali)-[~/…/base_images/_2_c.jpg.extracted/base_images/_3_c.jpg.extracted] └─$ ls 1E2D6.zip base_images ┌──(kali㉿kali)-[~/…/base_images/_2_c.jpg.extracted/base_images/_3_c.jpg.extracted] └─$ cd base_images ┌──(kali㉿kali)-[~/…/_2_c.jpg.extracted/base_images/_3_c.jpg.extracted/base_images] └─$ ls 4_c.jpg ┌──(kali㉿kali)-[~/…/_2_c.jpg.extracted/base_images/_3_c.jpg.extracted/base_images] └─$ binwalk 4_c.jpg DECIMAL HEXADECIMAL DESCRIPTION -------------------------------------------------------------------------------- 0 0x0 PNG image, 320 x 768, 8-bit/color RGBA, non-interlaced 3226 0xC9A TIFF image data, big-endian, offset of first image directory: 8 79578 0x136DA Zip archive data, at least v2.0 to extract, compressed size: 64, uncompressed size: 81, name: flag.txt 79786 0x137AA End of Zip archive, footer length: 22 ┌──(kali㉿kali)-[~/…/_2_c.jpg.extracted/base_images/_3_c.jpg.extracted/base_images] └─$ binwalk -e 4_c.jpg DECIMAL HEXADECIMAL DESCRIPTION -------------------------------------------------------------------------------- 0 0x0 PNG image, 320 x 768, 8-bit/color RGBA, non-interlaced 3226 0xC9A TIFF image data, big-endian, offset of first image directory: 8 79578 0x136DA Zip archive data, at least v2.0 to extract, compressed size: 64, uncompressed size: 81, name: flag.txt 79786 0x137AA End of Zip archive, footer length: 22 ┌──(kali㉿kali)-[~/…/_2_c.jpg.extracted/base_images/_3_c.jpg.extracted/base_images] └─$ ls 4_c.jpg _4_c.jpg.extracted ┌──(kali㉿kali)-[~/…/_2_c.jpg.extracted/base_images/_3_c.jpg.extracted/base_images] └─$ cd _4_c.jpg.extracted ┌──(kali㉿kali)-[~/…/base_images/_3_c.jpg.extracted/base_images/_4_c.jpg.extracted] └─$ ls 136DA.zip flag.txt ┌──(kali㉿kali)-[~/…/base_images/_3_c.jpg.extracted/base_images/_4_c.jpg.extracted] └─$ cat flag.txt picoCTF{336cf6d51c9d9774fd37196c1d7320ff} ``` ## Solution 2: dd if ```shell ┌──(kali㉿kali)-[~/code] └─$ binwalk dolls.jpg DECIMAL HEXADECIMAL DESCRIPTION -------------------------------------------------------------------------------- 0 0x0 PNG image, 594 x 1104, 8-bit/color RGBA, non-interlaced 3226 0xC9A TIFF image data, big-endian, offset of first image directory: 8 272492 0x4286C Zip archive data, at least v2.0 to extract, compressed size: 378956, uncompressed size: 383938, name: base_images/2_c.jpg 651614 0x9F15E End of Zip archive, footer length: 22 ┌──(kali㉿kali)-[~/code] └─$ dd if=dolls.jpg of=dolls.zip skip=272492 bs=1 379144+0 records in 379144+0 records out 379144 bytes (379 kB, 370 KiB) copied, 0.801009 s, 473 kB/s ┌──(kali㉿kali)-[~/code] └─$ unzip dolls.zip Archive: dolls.zip inflating: base_images/2_c.jpg ┌──(kali㉿kali)-[~/code] └─$ cd dolls.zip cd: not a directory: dolls.zip ┌──(kali㉿kali)-[~/code] └─$ cd base_images/2_c.jpg cd: not a directory: base_images/2_c.jpg ┌──(kali㉿kali)-[~/code] └─$ cd base_images ┌──(kali㉿kali)-[~/code/base_images] └─$ ls 2_c.jpg ┌──(kali㉿kali)-[~/code/base_images] └─$ binwalk 2_c.jpg DECIMAL HEXADECIMAL DESCRIPTION -------------------------------------------------------------------------------- 0 0x0 PNG image, 526 x 1106, 8-bit/color RGBA, non-interlaced 3226 0xC9A TIFF image data, big-endian, offset of first image directory: 8 187707 0x2DD3B Zip archive data, at least v2.0 to extract, compressed size: 196043, uncompressed size: 201445, name: base_images/3_c.jpg 383805 0x5DB3D End of Zip archive, footer length: 22 383916 0x5DBAC End of Zip archive, footer length: 22 ┌──(kali㉿kali)-[~/code/base_images] └─$ dd if=2_c.jpg of=2_c.zip skip=187707 bs=1 196231+0 records in 196231+0 records out 196231 bytes (196 kB, 192 KiB) copied, 0.298033 s, 658 kB/s ┌──(kali㉿kali)-[~/code/base_images] └─$ unzip 2_c.zip Archive: 2_c.zip inflating: base_images/3_c.jpg ┌──(kali㉿kali)-[~/code/base_images] └─$ cd base_images ┌──(kali㉿kali)-[~/code/base_images/base_images] └─$ binwalk 3_c.jpg DECIMAL HEXADECIMAL DESCRIPTION -------------------------------------------------------------------------------- 0 0x0 PNG image, 428 x 1104, 8-bit/color RGBA, non-interlaced 3226 0xC9A TIFF image data, big-endian, offset of first image directory: 8 123606 0x1E2D6 Zip archive data, at least v2.0 to extract, compressed size: 77651, uncompressed size: 79808, name: base_images/4_c.jpg 201423 0x312CF End of Zip archive, footer length: 22 ┌──(kali㉿kali)-[~/code/base_images/base_images] └─$ dd if=3_c.jpg of=3_c.zip skip=123606 bs=1 77839+0 records in 77839+0 records out 77839 bytes (78 kB, 76 KiB) copied, 0.120424 s, 646 kB/s ┌──(kali㉿kali)-[~/code/base_images/base_images] └─$ unzip 3_c.zip Archive: 3_c.zip inflating: base_images/4_c.jpg ┌──(kali㉿kali)-[~/code/base_images/base_images] └─$ cd base_images ┌──(kali㉿kali)-[~/code/base_images/base_images/base_images] └─$ binwalk 4_c.jpg DECIMAL HEXADECIMAL DESCRIPTION -------------------------------------------------------------------------------- 0 0x0 PNG image, 320 x 768, 8-bit/color RGBA, non-interlaced 3226 0xC9A TIFF image data, big-endian, offset of first image directory: 8 79578 0x136DA Zip archive data, at least v2.0 to extract, compressed size: 64, uncompressed size: 81, name: flag.txt 79786 0x137AA End of Zip archive, footer length: 22 ┌──(kali㉿kali)-[~/code/base_images/base_images/base_images] └─$ dd if=4_c.jpg of=4_c.zip skip=79578 bs=1 230+0 records in 230+0 records out 230 bytes copied, 0.000637243 s, 361 kB/s ┌──(kali㉿kali)-[~/code/base_images/base_images/base_images] └─$ unzip 4_c.zip Archive: 4_c.zip inflating: flag.txt ┌──(kali㉿kali)-[~/code/base_images/base_images/base_images] └─$ cat flag.txt picoCTF{336cf6d51c9d9774fd37196c1d7320ff} ``` ### REF: https://blog.gtwang.org/linux/dd-command-examples/