Author: Lucian Nitescu
Contest: OtterCTF 2018


Found this nested zip in Morty’s PC. what is it that he is hiding?



150 points / 94 solvers


The challenge started with a .zip file which contained multiple zipped files within other zipped files as you can see in the following example:

My approach was rather brute: I unzipped one file in a folder and within the newly created folder, I repeated my actions. Here is the single bash command that I executed:

while true; do unzip $(ls \*.zip) -d $(ls \*.zip). && cd $(ls \*.zip).; done


The resulting working directory and the retrieved files: is the last zip archive within the chain and requires a password to extract the archived text file.

From the working directory path I decided to strip all the extension names (.zip) and other unnecessary file names:




After I decoded the above base64 string, I obtained the following link:

I had to add the p letter to the end of the link in order to access the page:

By clicking on the User Review link, I was redirected to website and page. At first, I thought that this was a dead end, but after multiple tries and failures I decided to use the leaked email ( as the password for my last archive file:


Obtaining the flag: