Attachment ID 0: font (fonts/Roboto-Regular.ttf) size: 147,896 bytes Attachment ID 1: binary (attachments/hidden.bin) size: 6,432 bytes The second attachment ( hidden.bin ) looks like a generic binary blob – a classic place for a flag. We extract everything:
#!/usr/bin/env python3 import sys
def xor(data, key): return bytes(b ^ k for b, k in zip(data, itertools.cycle(key))) The Khatrimaza-org-mkv
$ mkvinfo khatrimaza-org.mkv | grep -i "title\|comment" |+ Title: The Khatrimaza Movie |+ Comment: s3cr3t_k3y_4_f1ag The MKV container has a comment field: Attachment ID 0: font (fonts/Roboto-Regular
open('payload.bin', 'wb').write(out) print('Done – payload written to payload.bin') Run it: We quickly glance at them with ffprobe just
2 00:00:03,001 --> 00:00:07,000 Enjoy the movie. Nothing hidden in the subtitles – just a generic welcome message. We quickly glance at them with ffprobe just to be sure there’s nothing weird:
$ python3 xor_decrypt.py Done – payload written to payload.bin $ file payload.bin payload.bin: ASCII text
Attachment ID 0: font (fonts/Roboto-Regular.ttf) size: 147,896 bytes Attachment ID 1: binary (attachments/hidden.bin) size: 6,432 bytes The second attachment ( hidden.bin ) looks like a generic binary blob – a classic place for a flag. We extract everything:
#!/usr/bin/env python3 import sys
def xor(data, key): return bytes(b ^ k for b, k in zip(data, itertools.cycle(key)))
$ mkvinfo khatrimaza-org.mkv | grep -i "title\|comment" |+ Title: The Khatrimaza Movie |+ Comment: s3cr3t_k3y_4_f1ag The MKV container has a comment field:
open('payload.bin', 'wb').write(out) print('Done – payload written to payload.bin') Run it:
2 00:00:03,001 --> 00:00:07,000 Enjoy the movie. Nothing hidden in the subtitles – just a generic welcome message. We quickly glance at them with ffprobe just to be sure there’s nothing weird:
$ python3 xor_decrypt.py Done – payload written to payload.bin $ file payload.bin payload.bin: ASCII text