Greenturtlegirl-3.avi wasn't supposed to exist. In the early 2000s era of Limewire and Morpheus, it was whispered about in IRC channels as a "corrupted" video that supposedly changed every time you played it. The Discovery Elias found it inside a zipped folder labeled “Old_Backups_98”
on a hard drive he bought at a garage sale. The thumbnail was a static-heavy shot of a girl in a lime-green hooded sweatshirt, sitting on a swing set at night. Her face was obscured by the low resolution, but her eyes seemed to catch the camera's flash with a strange, emerald glint. The First Playback
When Elias first clicked play, the video was only twelve seconds long. 0:00-0:05: The girl swings back and forth in total silence. She stops abruptly and looks directly into the lens. The screen cuts to black with a single line of white text: “Are you still there?”
Elias laughed it off as an old "screamer" prank that failed to trigger. He went to delete it, but the file size caught his eye:
. For a twelve-second AVI file from the 90s, that was physically impossible.
He played it again. This time, the video was different. The girl wasn't on a swing; she was standing in a hallway that looked exactly like the one right outside Elias’s bedroom. She held a small, plastic turtle painted the same neon green as her hoodie.
The audio wasn't silent anymore. It was a low, rhythmic thumping—the sound of a heartbeat filtered through heavy distortion. As the girl stepped closer to the camera, Elias noticed the date stamp in the bottom corner. It didn't say 1998. It showed today’s date , with a timestamp only three minutes in the past.
Terrified, Elias tried to shut down his computer, but the media player stayed pinned to the front of his screen. The video looped, and with every cycle, the girl moved through the house. Greenturtlegirl-3.avi
She was in the kitchen, placing the green turtle on the counter. She was at the base of his stairs. She was standing right behind a closed door—his door.
In the video, the girl reached for the handle. In reality, Elias heard the brass knob of his bedroom door creak and turn. The End of the File
Elias dove for the power cable, ripping it from the wall. The monitor flickered and died, plunging the room into darkness. For a moment, there was only the sound of his own panicked breathing.
Then, the monitor hummed back to life, powered by nothing. The screen was a solid, sickening shade of turtle-shell green. A single dialogue box appeared in the center of the void: "Greenturtlegirl-3.avi has finished uploading."
Elias turned around. Sitting on his pillow was a small, plastic green turtle, still warm to the touch. to this creepypasta, or perhaps a involving the other two files in the series?
AVI files (RIFF) can contain custom chunks that are ignored by standard players. Those chunks are a common place for CTF flag data.
# Dump all RIFF chunks (including unknown ones)
riffdump Greenturtlegirl-3.avi > riff_dump.txt
If you see something like:
Chunk: 'XXXX' size 0x00000100
Chunk: 'data' size 0x00000A00
You can extract the raw bytes:
# Grab the chunk named XXXX (replace with the actual 4‑letter ID)
dd if=Greenturtlegirl-3.avi bs=1 skip=$((offset)) count=$((size)) of=extra_chunk.bin
offset and size come from the riff_dump.txt output. After extraction, run a battery of checks:
# 4.1 Strings & printable data
strings -a extra_chunk.bin | head
# 4.2 Base64 / hex detection
base64 -d extra_chunk.bin 2>/dev/null | strings -a
xxd extra_chunk.bin | head
If you see something that looks like a flag (e.g., CTF...) you’re done. Otherwise keep probing.
| Goal | Command / Tool | What to look for |
|------|----------------|------------------|
| Verify the file type & integrity | file Greenturtlegirl-3.avi
sha256sum Greenturtlegirl-3.avi | Confirm it is indeed an AVI container; note any “RIFF” or “AVI” tags. |
| Quick metadata dump | exiftool Greenturtlegirl-3.avi | Creation date, software used, author, any custom tags. |
| Basic entropy check | binwalk -E Greenturtlegirl-3.avi or ent -b Greenturtlegirl-3.avi | High entropy sections may indicate compressed or encrypted payloads. |
| List embedded streams | ffprobe -show_streams -i Greenturtlegirl-3.avi | Number of video, audio, subtitle streams, codec details. |
If any of the above reveals something odd (e.g., a non‑standard codec, an extra data chunk, or an unusually high‑entropy region), keep a note – that’s where the hidden payload often lives.
| Situation | How to detect / fix |
|-----------|----------------------|
| Hidden data in padding bytes of the video stream | Run ffmpeg -i video_track1.avi -c copy -map 0 -f rawvideo - and pipe to hexdump -C. Look for long runs of 00 or FF that may hide an encoded payload. |
| Multiple video streams, one of which is a “decoy” | ffprobe -show_streams will list all streams. Extract each (-map 0:v:1, -map 0:v:2, …) and repeat the frame analysis on each. |
| Audio is actually a modulated carrier (e.g., DTMF, Morse, BPSK) | Use audacity to view the waveform at a high zoom, or multimon-ng / gqrx for decoding. |
| Stego in subtitle stream | Dump the subtitle file (.srt or .ass) and run strings, base64, or zsteg on it. |
| The flag is split across several different chunks | Keep a notebook. When you see multiple suspicious blobs (e.g., chunk XXXX, frame_0012.png, audio_chunk.bin) try concatenating them in the order they appear in the file. |
Even after extracting streams, some payloads are steganographically hidden in the byte‑level structure (LSB of pixels, padding bytes, etc.). Use the following tools that automate many of these heuristics: Greenturtlegirl-3
| Tool | Typical command | What it does |
|------|-----------------|--------------|
| binwalk | binwalk -e Greenturtlegirl-3.avi | Scans for embedded files/compressed data, extracts them. |
| foremost | foremost -i Greenturtlegirl-3.avi -o foremost_out | Carves out any file signatures (JPEG, PNG, PDF, ZIP, etc.). |
| scalpel | scalpel -c /etc/scalpel.conf -o scalpel_out Greenturtlegirl-3.avi | Another carving engine with a customizable config. |
| stegsolve (GUI) | Open the video frames or the raw file | Lets you cycle through colour planes, LSB, XOR, etc. |
| zsteg | zsteg -a Greenturtlegirl-3.avi | Tries a whole suite of LSB/LSB‑MSB tricks on any image data it can find. |
| steghide | steghide extract -sf Greenturtlegirl-3.avi (you’ll be prompted for a passphrase) | If the creator used steghide on the container itself. |
Tip: Some CTF authors intentionally split the hidden payload across multiple locations (e.g., part in a frame, part in an audio sample, part in a custom RIFF chunk). Keep any “interesting” fragments you find, and later you may need to concatenate or XOR them together.
ffmpeg -v error.| Item | Details | |------|---------| | File name | Greenturtlegirl‑3.avi | | Extension | .avi (Audio Video Interleave) | | Typical use | Container for video and audio streams; widely supported on Windows, macOS, Linux | | Possible source | Could be a downloaded video, a screen‑recording, or a media export from editing software |
"format":
"filename": "Greenturtlegirl-3.avi",
"format_name": "avi",
"duration": "00:04:12.34",
"size": "312345678",
"bit_rate": "960000"
,
"streams": [
"codec_type": "video",
"codec_name": "h264",
"width": 1280,
"height": 720,
"r_frame_rate": "30/1",
"bit_rate": "800000"
,
"codec_type": "audio",
"codec_name": "aac",
"sample_rate": "48000",
"channels": 2,
"bit_rate": "128000"
]
Replace the above with the actual output from your inspection.
When you finally have a blob that looks promising, try the usual suspects:
| Encoding / Compression | Command (Linux) |
|------------------------|-----------------|
| Base64 | base64 -d blob.bin > blob2.bin |
| Hex (ASCII) | xxd -r -p blob.bin > blob2.bin |
| gzip / zlib | gzip -d blob.bin or python -c "import sys, zlib; sys.stdout.write(zlib.decompress(open('blob.bin','rb').read()))" |
| XOR with single byte | xorsearch -b blob.bin (or a quick Python loop) |
| AES‑CBC (common in CTFs) | openssl enc -d -aes-128-cbc -in blob.bin -out plain.bin -K <key> -iv <iv> |
| ROT13 / Caesar | tr 'A-Za-z' 'N-ZA-Mn-za-m' < blob.bin |
If you get readable text that contains the typical flag format (CTF..., flag..., picoCTF..., etc.), you have found the answer. If you see something like: Chunk: 'XXXX' size