[REDACTED]
Challenge:
The CEO of Cyber Corp has strangely disappeared over the weekend. After looking more into his disappearance Local Police Department thinks he might have gotten caught up into some illicit activities.
The IT Department just conducted a search through his company-provided laptop and found an old memo containing a One Time Password to log into his e-mail. However it seems as if someone has redacted the code, can you recover it for us?
Solution:
As described in the challenge description, and observed in the provided PDF, the code has been hidden behind a black box. I started with the standard approach of dumping strings, examining the document structure with Didier Stevens’ PDF Tools and examining the EXIF metadata. To be honest I ended up heading down a rabbit hole based on the document’s metadata and wasted some time trying to access the orignal document identified in a Dochub Document Url EXIF tag:
$ exiftool cybercorp_memo.pdf
Dochub Document Id : 264442281
Dochub Document Url : https://dochub.com/ctm5vjg/8YZWO9NV82peBxERzEAy30/memo3-pdf
After accepting defeat on that approach I pivoted to identifying a method for extracting images from a PDF, with the goal of obtaining the image of the letter that was a layer below the redaction box. After a short Google session I found that the pdfimages
utility from the Poppler PDF rendering library was suitable for the task.
$ pdfimages -png cybercorp_memo.pdf redacted
This produced one PNG image named redacted-000.png with the flag now clearly visible.
Leave a comment