siunam's Website

My personal website

Home Writeups Blog Projects About E-Portfolio

PDF-Mess

Table of Contents

  1. Overview
  2. Background
  3. Find the flag
  4. Conclusion

Overview

Background

This file seems to be a simple copy and paste from wikipedia. It would be necessary to dig a little deeper…

Good luck!

Format : Hero{}
Author : Thibz

Find the flag

In this challenge, we can download a file:

┌[siunam♥earth]-(~/ctf/HeroCTF-v5/Steganography/PDF-Mess)-[2023.05.14|15:02:37(HKT)]
└> file strange.pdf 
strange.pdf: PDF document, version 1.7, 2 pages

It’s a PDF file.

In this PDF file, it has an image file:

We can try to extract that via foremost:

┌[siunam♥earth]-(~/ctf/HeroCTF-v5/Steganography/PDF-Mess)-[2023.05.14|15:03:50(HKT)]
└> foremost -i strange.pdf
Processing: strange.pdf
|*|
┌[siunam♥earth]-(~/ctf/HeroCTF-v5/Steganography/PDF-Mess)-[2023.05.14|15:03:56(HKT)]
└> ls -lah output 
total 20K
drwxr-xr-- 4 siunam nam 4.0K May 14 15:03 .
drwxr-xr-x 4 siunam nam 4.0K May 14 15:03 ..
-rw-r--r-- 1 siunam nam  758 May 14 15:03 audit.txt
drwxr-xr-- 2 siunam nam 4.0K May 14 15:03 jpg
drwxr-xr-- 2 siunam nam 4.0K May 14 15:03 pdf

However, I ran through all JPG steganography tools, and found nothing.

Then, I Googled “stegano pdf ctf”:

This writeup from UIUCTF shows us how to extract embedded file in the PDF:

Let’s do that!

┌[siunam♥earth]-(~/ctf/HeroCTF-v5/Steganography/PDF-Mess)-[2023.05.14|15:06:40(HKT)]
└> pdf-parser --stats strange.pdf                         
This program has not been tested with this version of Python (3.11.2)
Should you encounter problems, please use Python version 3.11.1
Comment: 4
XREF: 2
Trailer: 2
StartXref: 2
Indirect object: 44
Indirect objects with a stream: 4, 28, 30, 31, 40, 101, 102, 106, 107, 110, 109
  24: 4, 6, 8, 14, 15, 16, 19, 20, 21, 22, 23, 24, 25, 26, 27, 30, 32, 101, 102, 103, 104, 105, 106, 108
 /Catalog 1: 1
 /EmbeddedFile 1: 110
 /ExtGState 2: 10, 11
 /Filespec 1: 111
 /Font 4: 5, 7, 12, 17
 /FontDescriptor 3: 9, 13, 18
 /Metadata 1: 107
 /ObjStm 1: 40
 /Page 2: 3, 29
 /Pages 1: 2
 /XObject 2: 28, 31
 /XRef 1: 109
Unreferenced indirect objects: 40 0 R, 109 0 R
Unreferenced indirect objects without /ObjStm objects: 109 0 R
Search keywords:
 /EmbeddedFile 1: 110
 /URI 12: 14, 15, 16, 19, 20, 21, 22, 23, 24, 25, 26, 27

We found a hidden embedded file too! /EmbeddedFile 1: 110

To extract that we can:

┌[siunam♥earth]-(~/ctf/HeroCTF-v5/Steganography/PDF-Mess)-[2023.05.14|15:06:46(HKT)]
└> pdf-parser --object 110 --raw --filter strange.pdf > 110_EmbeddedFile
┌[siunam♥earth]-(~/ctf/HeroCTF-v5/Steganography/PDF-Mess)-[2023.05.14|15:07:41(HKT)]
└> cat 110_EmbeddedFile 
This program has not been tested with this version of Python (3.11.2)
Should you encounter problems, please use Python version 3.11.1
obj 110 0
 Type: /EmbeddedFile
 Referencing: 
 Contains stream

  <<
    /Length 179
    /Type /EmbeddedFile
    /Filter /FlateDecode
    /Params
      <<
        /Size 199
        /Checksum <083542c62e17ca3367bd590c1ab38578>
      >>
    /Subtype /application/js
  >>

 b"const CryptoJS=require('crypto-js'),key='3d3067e197cf4d0a',ciphertext=CryptoJS['AES']['encrypt'](message,key)['toString'](),cipher='U2FsdGVkX1+2k+cHVHn/CMkXGGDmb0DpmShxtTfwNnMr9dU1I6/GQI/iYWEexsod';"

Oh! We found some JavaScript code!

Beautified:

const CryptoJS = require('crypto-js');

key = '3d3067e197cf4d0a';
ciphertext = CryptoJS['AES']['encrypt'](message,key)['toString']();
cipher = 'U2FsdGVkX1+2k+cHVHn/CMkXGGDmb0DpmShxtTfwNnMr9dU1I6/GQI/iYWEexsod';

As you can see, it’s using the crypto-js npm library, and using that to AES encrypt the message (We don’t know about that) and the key: 3d3067e197cf4d0a.

After encrypt, the cipher text is U2FsdGVkX1+2k+cHVHn/CMkXGGDmb0DpmShxtTfwNnMr9dU1I6/GQI/iYWEexsod.

We could read the crypto-js’s documentation about AES to decrypt it:

const CryptoJS = require('crypto-js');

key = '3d3067e197cf4d0a';
//ciphertext = CryptoJS['AES']['encrypt'](message,key)['toString']();
cipher = 'U2FsdGVkX1+2k+cHVHn/CMkXGGDmb0DpmShxtTfwNnMr9dU1I6/GQI/iYWEexsod';
plaintext = CryptoJS['AES']['decrypt'](cipher,key)['toString']();

console.log(plaintext);

However, I wanna give ChatGPT a try:

Ok bruh, I’ll decrypt it by myself lol:

┌[siunam♥earth]-(~/ctf/HeroCTF-v5/Steganography/PDF-Mess)-[2023.05.14|15:15:30(HKT)]
└> npm install crypto-js     

added 1 package in 378ms
┌[siunam♥earth]-(~/ctf/HeroCTF-v5/Steganography/PDF-Mess)-[2023.05.14|15:15:34(HKT)]
└> nodejs 110_EmbeddedFile.js
4865726f7b4d344c3143313055355f433044335f314e5f5044467d
┌[siunam♥earth]-(~/ctf/HeroCTF-v5/Steganography/PDF-Mess)-[2023.05.14|15:15:38(HKT)]
└> nodejs 110_EmbeddedFile.js | xxd -r -p
Hero{M4L1C10U5_C0D3_1N_PDF}

Conclusion

What we’ve learned:

  1. Extracting Embedded File In PDF