18 Pages Hdhub4u Now

Our goal is to retrieve the hidden flag hidden somewhere inside the PDF. $ file 18pages.pdf 18pages.pdf: PDF document, version 1.7

To be thorough, we also checked whether any other objects contained additional base‑64 or XOR‑encoded data, but none yielded a flag. 18 Pages Hdhub4u

Objects , 37 , and 61 are the most promising candidates for hidden data. 4. Analyzing the suspicious streams 4.1 Object 28 – “mostly zeros” $ pdf-parser -object 28 -raw 18pages.pdf > obj28.bin $ hexdump -C obj28.bin | head 00000000 78 9c 0b 00 00 00 02 00 00 00 00 00 00 00 00 00 |x...............| ... The stream is a Flate‑compressed block that, once decompressed, yields a 2048‑byte buffer full of 0x00 except for a few non‑zero bytes at the very end: Our goal is to retrieve the hidden flag

Thus the final flag for the challenge is: obj37.asc85 $ ascii85decode obj37.asc85 &gt

$ zcat obj28.bin | tail -c 64 | hexdump -C 00000000 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 |................| 00000010 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 |................| 00000020 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 |................| 00000030 48 54 42 7b 31 30 34 32 5f 34 35 33 37 5f 62 34 |HTB1104001647......| We get the clear text – a flag format used by the Hack The Box community. 4.2 Object 37 – ASCII85 data $ pdf-parser -object 37 -raw 18pages.pdf > obj37.asc85 $ ascii85decode obj37.asc85 > obj37.bin $ strings -n 6 obj37.bin strings shows only a few generic words ( Page , Section , Lorem ), nothing useful. This was a decoy to mislead analysts. 4.3 Object 61 – “embedded PDF” $ pdf-parser -object 61 -raw 18pages.pdf > obj61.bin $ zcat obj61.bin > embedded.pdf $ pdfinfo embedded.pdf Pages: 1 The extracted PDF contains a single page that is a screenshot of a terminal with the line: