CSAW CTF 2014 Forensics 200 Obscurity writeup

question_csawobscurity

Usually when I get a PDF file, I will look into the javascript dictionary section, JS Stream, Launch section and interactive forms in PDF. We can get some information about embedded javascript in these set of standard sections. Will now take a look into the elements of the challenge file.


➜ PDF-Tools [0] python pdfid.py pdf.pdf
PDFiD 0.1.2 pdf.pdf
 PDF Header: %PDF-1.3
 obj 20
 endobj 19
 stream 10
 endstream 10
 xref 1
 trailer 1
 startxref 1
 /Page 1
 /Encrypt 0
 /ObjStm 0
 /JS 0
 /JavaScript 0
 /AA 0
 /OpenAction 0
 /AcroForm 0
 /JBIG2Decode 0
 /RichMedia 0
 /Launch 0
 /EmbeddedFile 0
 /XFA 0
 /Colors > 2^24 0

Well there is no embedded javascript inside the file. Alright we will look into each of the above streams!

➜ PDF-Tools [0] python pdf-parser.py pdf.pdf
PDF Comment '%PDF-1.3\n'

obj 1 0
 Type: /Pages
 Referencing: 4 0 R

 <<
 /Kids [ 4 0 R ]
 /Type /Pages
 /Count 1
 >>

obj 2 0
 Type:
 Referencing: 

 <<
 /Producer '(Python PDF Library \\055 http\\072\\057\\057pybrary\\056net\\057pyPdf\\057)'
 >>

obj 3 0
 Type: /Catalog
 Referencing: 1 0 R

 <<
 /Type /Catalog
 /Pages 1 0 R
 >>

obj 4 0
 Type: /Page
 Referencing: 1 0 R, 5 0 R, 6 0 R, 8 0 R, 9 0 R, 13 0 R, 17 0 R, 18 0 R

 <<
 /Parent 1 0 R
 /Contents 5 0 R
 /Type /Page
 /Resources
 <<
 /ColorSpace
 <<
 /Cs1 6 0 R
 /Cs1renamed [ /ICCBased 8 0 R ]
 >>
 /XObject
 <<
 /Im1 9 0 R
 >>
 /Font
 <<
 /TT1.1 13 0 R
 /TT1.1renamed
 <<
 /FirstChar 33
 /Widths [ 220 ]
 /Type /Font
 /BaseFont /HQNKNK+Cambria
 /LastChar 33
 /ToUnicode 17 0 R
 /FontDescriptor 18 0 R
 /Subtype /TrueType
 >>
 >>
 /ProcSet [ /ImageC /Text /PDF /ImageI /ImageB ]
 >>
 /MediaBox [ 0 0 612 792 ]
 >>

(stripped)

You can read the rest of the stream content here. Well, we have got a text section ! Will now try to convert the PDF file to a text file which can probably provide some information about the text file.


➜ 200 [0] python pdf2txt.py ../../pdf.pdf

ag{security_through_obscurity}

Pingo! Look what we got! So here is the flag : security_through_obscurity

Advertisements

Leave a Reply

Fill in your details below or click an icon to log in:

WordPress.com Logo

You are commenting using your WordPress.com account. Log Out /  Change )

Google+ photo

You are commenting using your Google+ account. Log Out /  Change )

Twitter picture

You are commenting using your Twitter account. Log Out /  Change )

Facebook photo

You are commenting using your Facebook account. Log Out /  Change )

Connecting to %s