Root-me.org

PDF Object

Hide-and-Seek

In this challenge we need to find the hidden information in the PDF file.

There’s a lot of reading about how PDF are constructed. It’s essential to understand how object are called and store in the PDF file.

I’ll put a link to my bookmark website and search for the keyword pdf.

http://fav.uid0.in/

First let’s take a look at the pdf just to see what it is.

After that, we’ll use the tool pdf_parser found here:

https://blog.didierstevens.com/programs/pdf-tools/

to extract all the headers for all the object and see if we can spot something that is odd from the file.

python pdf-parser.py epreuve_BAC_2004.pdf  > all_obj

If we take a look at all_obj we’ll notice a few things.

First obj 1 0

obj 1 0
 Type: /Catalog
 Referencing: 3 0 R, 78 0 R

  <<
    /Type /Catalog
    /Pages 3 0 R
    /Names
      <<
        /Embeddedfiles
          <<
            /Names [ <48696464656e5f62333372732e747874> 78 0 R ]
          >>
      >>
  >>

It calls for /Embeddedfiles that refers to the obj 78. Embedded files will obviously embed a file in the pdf.

If we go to obj 78

obj 78 0
 Type: /Filespec
 Referencing: 77 0 R

  <<
    /F (Hidden_b33rs.txt)
    /Type /Filespec
    /EF
      <<
        /F 77 0 R
      >>
  >>

This one refers to the obj 77, let’s go to that one.

obj 77 0
 Type: /Embeddedfile
 Referencing: 
 Contains stream

  <<
    /Length 79749
    /Type /Embeddedfile
    /Filter /FlateDecode
    /Params
      <<
        /Size 108542
        /Checksum <565984bd9e2901248b5d8abfe174e2b1>
      >>
    /Subtype /text/plain
  >>

This one has a type of Embeddedfile, we also that it uses the filter FlateDecode. Also the subtype is plain text.

Luckily for us pdf_parser has a options to extract object while decoding them. You can also do it in python which is pretty easy to do also.

So now let’s extract obj_77

python pdf-parser.py --raw --filter -o 77 epreuve_BAC_2004.pdf > decoded_77

When we open the file, we have the header information in the first 17 lines followed by 1410 lines of what looks like random stuff. If you look at the character set of the “random stuff” we can take a guess that we’re looking at base64.

Let’s try to decode it, in our case for the sake of now having to paste the whole lines, the lines are in the file b64_77.

Let’s try to decode it and putting it in a file.

cat b64_77 | base64 -d > file_77

file file_77 

file_77: JPEG image data, JFIF standard 1.01, resolution (DPI), density 96x96, segment length 16, comment: "CREATOR: gd-jpeg v1.0 (using IJG JPEG v62), quality = 95", baseline, precision 8, 500x417, frames 3

We got an image! Once we open it, we’ll see the flag on it.