The zipped file contained a single binary file with no extension. TrID was deployed to identify the extracted file based on its binary signature and was found to be a Adobe PDF file. The file was subsequently renamed with .pdf extension to view its contents using Adobe PDF Reader.
Only two words (! Confidential Documents !) were displayed when the PDF file was viewed with Adobe PDF Reader. More efforts were required to look further into the PDF specification which encapsulated a complete description of the fixed-layout flat document, including the text, fonts, graphics, and other information needed to display it.
The 1st key was found very easily within object 12. 1st_key(nn@LiC!oU$)
Hints for the 2nd key were discovered within object 5.
Hint #1 mentioned the 2nd key is made up of strings contained in three objects. Hint #2 stated the length of the 2nd key is 14. After scanning through the PDF specification, objects 6, 7, and 8 were found to be likely to contain text strings. The following line was amended to replace the digit 5 with 6, 7, and 8, to display contents of each of the objects in turn.
Object 6 :: PpPDdD[
Object 7 :: F_F
Object 8 :: ]ile
With the above strings concatenated, the 2nd_key was obtained! (PpPDdD[F_F]ile) strlen = 14
Careful examination of the data stream within object 11 was needed for the 3rd key. 1101 bytes of data were extracted and saved to a new binary file. The data were then uncompressed using PHP gzuncompress(), displayed, and found to be another PDF file.
PHP Script:
PDF Specification:
The next lead came from the Javascript contained within object 7. Some modifications were made to the script in order to view the alert which read “Decrypt_ME“. The cipher was then changed to “673B672B3E663C666F2B37390D362061″, a string contained within the extracted PDF specification, and the 3rd key was revealed. 3rd_key=4n4ly5i5
HTML with Javascript:
Captured the flag with the 3 keys combined! 300 points in the bag!! Yay!!!
Flag: nn@LiC!oU$_PpPDdD[F_F]ile_4n4ly5i5
Cheers,
Braeburn Ladny