Home > CTF, Forensics > CSAW CTF 2014 Forensics 200 Obscurity writeup

CSAW CTF 2014 Forensics 200 Obscurity writeup

question_csawobscurity

Usually when I get a PDF file, I will look into the javascript dictionary section, JS Stream, Launch section and interactive forms in PDF. We can get some information about embedded javascript in these set of standard sections. Will now take a look into the elements of the challenge file.


➜ PDF-Tools [0] python pdfid.py pdf.pdf
PDFiD 0.1.2 pdf.pdf
 PDF Header: %PDF-1.3
 obj 20
 endobj 19
 stream 10
 endstream 10
 xref 1
 trailer 1
 startxref 1
 /Page 1
 /Encrypt 0
 /ObjStm 0
 /JS 0
 /JavaScript 0
 /AA 0
 /OpenAction 0
 /AcroForm 0
 /JBIG2Decode 0
 /RichMedia 0
 /Launch 0
 /EmbeddedFile 0
 /XFA 0
 /Colors > 2^24 0

Well there is no embedded javascript inside the file. Alright we will look into each of the above streams!

➜ PDF-Tools [0] python pdf-parser.py pdf.pdf
PDF Comment '%PDF-1.3\n'

obj 1 0
 Type: /Pages
 Referencing: 4 0 R

 <<
 /Kids [ 4 0 R ]
 /Type /Pages
 /Count 1
 >>

obj 2 0
 Type:
 Referencing: 

 <<
 /Producer '(Python PDF Library \\055 http\\072\\057\\057pybrary\\056net\\057pyPdf\\057)'
 >>

obj 3 0
 Type: /Catalog
 Referencing: 1 0 R

 <<
 /Type /Catalog
 /Pages 1 0 R
 >>

obj 4 0
 Type: /Page
 Referencing: 1 0 R, 5 0 R, 6 0 R, 8 0 R, 9 0 R, 13 0 R, 17 0 R, 18 0 R

 <<
 /Parent 1 0 R
 /Contents 5 0 R
 /Type /Page
 /Resources
 <<
 /ColorSpace
 <<
 /Cs1 6 0 R
 /Cs1renamed [ /ICCBased 8 0 R ]
 >>
 /XObject
 <<
 /Im1 9 0 R
 >>
 /Font
 <<
 /TT1.1 13 0 R
 /TT1.1renamed
 <<
 /FirstChar 33
 /Widths [ 220 ]
 /Type /Font
 /BaseFont /HQNKNK+Cambria
 /LastChar 33
 /ToUnicode 17 0 R
 /FontDescriptor 18 0 R
 /Subtype /TrueType
 >>
 >>
 /ProcSet [ /ImageC /Text /PDF /ImageI /ImageB ]
 >>
 /MediaBox [ 0 0 612 792 ]
 >>

(stripped)

You can read the rest of the stream content here. Well, we have got a text section ! Will now try to convert the PDF file to a text file which can probably provide some information about the text file.


➜ 200 [0] python pdf2txt.py ../../pdf.pdf

ag{security_through_obscurity}

Pingo! Look what we got! So here is the flag : security_through_obscurity

Advertisements
  1. No comments yet.
  1. No trackbacks yet.

Leave a Reply

Fill in your details below or click an icon to log in:

WordPress.com Logo

You are commenting using your WordPress.com account. Log Out /  Change )

Google+ photo

You are commenting using your Google+ account. Log Out /  Change )

Twitter picture

You are commenting using your Twitter account. Log Out /  Change )

Facebook photo

You are commenting using your Facebook account. Log Out /  Change )

Connecting to %s

This Week In 4n6

Your weekly roundup of Digital Forensics and Incident Response news

RAM Slack - Random Thoughts from a Computer Forensic Examiner

Random Thoughts from a Computer Forensic Examiner

InCTF

behind the scenes

DFIR Journal

Trials and Tribulations of a DFIR life

I dont know zilch !

For the noobs out there like me

X-Ways Forensics Practitioner's Guide

The Guide to X-Ways Forensics!

Forensic Focus - Articles

Digital forensics articles and research papers

my abbreviations......

gain,learn and share knowledge!!!!

digirati82

Windows Logging Service (WLS), DFIR, etc.

Belkasoft Forensic: The Digital Evidence Blog

Searching for, analyzing and recovering digital evidence

Gail Tredwell. Amma. Truth. Lies. Scandals. Fraud. And. Reality

Three things cannot be long hidden: the sun, the moon, and the truth.

Integriography: A Journal of Broken Locks, Ethics, and Computer Forensics

Musings about UAVs, search & rescue, computer forensics, cyber security, and the state of play in all .....

Life is beautiful

when the mind is full with love, you see beauty in every thing

Techno Krat

.... Dare To Try .......

%d bloggers like this: