Challenge: This document was intercepted while it was traveling to the North Pole. Is it just a typical letter to Santa or does it contain something more?
Ah yes, PDF!
Looks like it’s just some Lorem Ipsum text.
But I know about PDFs. A lot. So I started by looking at the contents. Well, it was compressed, so not really friendly. Lets first, decompress the objects.
qpdf --qdf --object-streams=disable Lorem_Ipsum.pdf out.pdf
Looking at the uncompressed contents, there’s still a lot of it. I begin to look for hidden Dictionaries or some embedded binary…
Ah, let’s make this a bit more easy. I took one of my own PDF tools and inspected the structure.
One of the thins it does is also the PS layouting, but without much visual attributes (colors). The code is used for PDF readouts in a accounting department.
I noticed the flag down below by accident and then went back and looked in the source:
(u)Tj
0.522 0 Td
(s.)Tj
0.638 0 Td
( )Tj
/GS1 gs
/T1_0 1 Tf
12 0 0 12 411 11 Tm
[(xmas{th1S_MU)6.1 (st_B3_Chr1stma5})]TJ
ET
EMC
endstream
endobj
I then went back to the original PDF and just did a Ctrl+A that showed there is something down there, and then a copy/paste to get the text.
Flag: xmas{th1S_MUst_B3_Chr1stma5}
What did I learn: Knowing too much can be an obstacle…
