pdf

Author: Connor Chang

so sad cause no flag in pdf :(

given a challenge.pdf, with the text

just below in white font is a red herring

scriptCTF{this_is_def_the_flag_trust}

hidden against the white background, but that’s not the flag

if you open up a pdf you’ll notice they have a lot of “objects” that look like

1 0 obj
<< 
  /somedata
>>
endobj

when you open up the pdf you notice

5 0 obj
<<
  /Type /Annot
  /Subtype /Text
  /Rect [0 0 0 0]
  /Contents (maybe look between stream and endstream)
>>
endobj

which is a helpful “comment” telling you to essentially decode the above stream

4 0 obj
<< /Length 48 /Filter /FlateDecode >>
stream
x+N.,(qq.HI/6/2657(3.7/74O7  %% it has weirder characters actually, my editor is throwing a fit
endstream
endobj

we can extract the hex of that stream from the hexdump or more elegantly match a regular expression as in this gist (you can guess which i ended up doing)

here’s my solve too

1
2
3
4
5
6

import zlib

stream_hex = "789c2b4e2eca2c28710e71ab2e48498b2f362f3236c9358d3728332e8a372f37344fce88372d018915d7020047020ed4"

data = bytearray.fromhex(stream_hex)
print(zlib.decompress(data))

scriptCTF{pdf_s7r34m5_0v3r_7w17ch_5tr34ms}

some pdf resources

• inside the pdf format
• nsa paper on pdfs
• pdf tricks