Greenturtlegirl-3.avi <TOP>
| Situation | How to detect / fix |
|-----------|----------------------|
| Hidden data in padding bytes of the video stream | Run ffmpeg -i video_track1.avi -c copy -map 0 -f rawvideo - and pipe to hexdump -C. Look for long runs of 00 or FF that may hide an encoded payload. |
| Multiple video streams, one of which is a “decoy” | ffprobe -show_streams will list all streams. Extract each (-map 0:v:1, -map 0:v:2, …) and repeat the frame analysis on each. |
| Audio is actually a modulated carrier (e.g., DTMF, Morse, BPSK) | Use audacity to view the waveform at a high zoom, or multimon-ng / gqrx for decoding. |
| Stego in subtitle stream | Dump the subtitle file (.srt or .ass) and run strings, base64, or zsteg on it. |
| The flag is split across several different chunks | Keep a notebook. When you see multiple suspicious blobs (e.g., chunk XXXX, frame_0012.png, audio_chunk.bin) try concatenating them in the order they appear in the file. |
When you finally have a blob that looks promising, try the usual suspects: Greenturtlegirl-3.avi
| Encoding / Compression | Command (Linux) |
|------------------------|-----------------|
| Base64 | base64 -d blob.bin > blob2.bin |
| Hex (ASCII) | xxd -r -p blob.bin > blob2.bin |
| gzip / zlib | gzip -d blob.bin or python -c "import sys, zlib; sys.stdout.write(zlib.decompress(open('blob.bin','rb').read()))" |
| XOR with single byte | xorsearch -b blob.bin (or a quick Python loop) |
| AES‑CBC (common in CTFs) | openssl enc -d -aes-128-cbc -in blob.bin -out plain.bin -K <key> -iv <iv> |
| ROT13 / Caesar | tr 'A-Za-z' 'N-ZA-Mn-za-m' < blob.bin | | Situation | How to detect / fix
If you get readable text that contains the typical flag format (CTF..., flag..., picoCTF..., etc.), you have found the answer. When you finally have a blob that looks
AVI is just a container, so pulling the individual tracks out makes the rest of the analysis easier.
# Create a folder for everything we’ll dump
mkdir greenturtlegirl_extracted
cd greenturtlegirl_extracted
# 2.1 Extract video track(s)
ffmpeg -i ../Greenturtlegirl-3.avi -c copy -map 0:v:0 video_track1.avi
# 2.2 Extract audio track(s) (if any)
ffmpeg -i ../Greenturtlegirl-3.avi -c copy -map 0:a:0 audio_track1.wav
# 2.3 Extract subtitles / data streams (if present)
ffmpeg -i ../Greenturtlegirl-3.avi -c copy -map 0:s:0 subs.srt
If ffmpeg reports “Unsupported codec” or “Stream #0:2: Data”, you can also try avconv, mkvextract (after converting to MKV), or riffdump for low‑level RIFF chunk inspection.