This file contains hidden or bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
| authkey format : | |
| [1st_key]_[2nd_key]_[3rd_key] | |
| ex) | |
| [a]_[b]_[c] -> wrong | |
| a_b_c -> right |
Only two words (! Confidential Documents !) were displayed when the PDF file was viewed with Adobe PDF Reader. More efforts were required to look further into the PDF specification which encapsulated a complete description of the fixed-layout flat document, including the text, fonts, graphics, and other information needed to display it.
The 1st key was found very easily within object 12. 1st_key(nn@LiC!oU$)
This file contains hidden or bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
| 12 0 obj | |
| << | |
| /Title(Confidential Documents) /Author(RExVuz) /Subject(CODEGATE2013 YUT Challenge) /Keywords(PDF, Miscellanea) /CreationDate(D:20130301210000+0900) /ModDate(D:20130303090000+0900) /1st_key(nn@LiC!oU$) /Producer(CODEGATE PDF Maker 2013) /Creator(CODEGATE PDF Maker 2013) | |
| >> | |
| endobj |
Hints for the 2nd key were discovered within object 5.
This file contains hidden or bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
| 2nd_key is combination of strings in three objects; strlen(2nd_key) == 14; |
Hint #1 mentioned the 2nd key is made up of strings contained in three objects. Hint #2 stated the length of the 2nd key is 14. After scanning through the PDF specification, objects 6, 7, and 8 were found to be likely to contain text strings. The following line was amended to replace the digit 5 with 6, 7, and 8, to display contents of each of the objects in turn.
This file contains hidden or bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
| /Contents 5 0 R |
Object 6 :: PpPDdD[
This file contains hidden or bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
| 6 0 obj | |
| << /Length 66 >> | |
| stream | |
| BT /F1 99 Tf 1 0 0 1 1 715 Tm<50 | |
| 7 | |
| 0 | |
| 50 | |
| 446 | |
| 44 | |
| 4 | |
| 5 | |
| B>Tj ET | |
| endstream | |
| endobj |
Object 7 :: F_F
This file contains hidden or bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
| 7 0 obj | |
| << /Length 46 >> | |
| stream | |
| BT /F1 99 Tf 1 0 0 1 1 715 Tm(\106_\106) Tj ET | |
| endstream | |
| endobj |
Object 8 :: ]ile
This file contains hidden or bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
| 8 0 obj | |
| << /Length 71 >> | |
| stream | |
| BT /F1 99 Tf 1 0 0 1 1 715 Tm(\ | |
| ]\ | |
| \ | |
| i\ | |
| \ | |
| \ | |
| l\ | |
| \ | |
| \ | |
| \ | |
| e\ | |
| \ | |
| \ | |
| \ | |
| \ | |
| ) Tj ET | |
| endstream | |
| endobj |
With the above strings concatenated, the 2nd_key was obtained! (PpPDdD[F_F]ile) strlen = 14
Careful examination of the data stream within object 11 was needed for the 3rd key. 1101 bytes of data were extracted and saved to a new binary file. The data were then uncompressed using PHP gzuncompress(), displayed, and found to be another PDF file.
PHP Script:
This file contains hidden or bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
| <?php | |
| $filename = "binaryfile"; | |
| $handle = fopen($filename, "r"); | |
| $contents = fread($handle, filesize($filename)); | |
| $uncompressed = gzuncompress($contents); | |
| echo $uncompressed; | |
| ?> |
PDF Specification:
This file contains hidden or bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
| %PDF-1.3 | |
| 1 0 obj | |
| << | |
| /Type /Catalog | |
| /Outlines 2 0 R | |
| /Pages 3 0 R | |
| /OpenAction 7 0 R | |
| >> | |
| endobj | |
| 2 0 obj | |
| << | |
| /Type /Outlines | |
| /Count 0 | |
| >> | |
| endobj | |
| 3 0 obj | |
| << | |
| /Type /Pages | |
| /Kids [4 0 R] | |
| /Count 1 | |
| >> | |
| endobj | |
| 4 0 obj | |
| << | |
| /Type /Page | |
| /Parent 3 0 R | |
| /MediaBox [0 0 612 792] | |
| /Contents 5 0 R | |
| /Resources << | |
| /ProcSet [/PDF /Text] | |
| /Font << /F1 6 0 R >> | |
| >> | |
| >> | |
| endobj | |
| 5 0 obj | |
| << /Length 69 >> | |
| stream | |
| BT /F1 1 Tf 300 400 Td 15 TL (673B672B3E663C666F2B37390D362061) Tj ET | |
| endstream | |
| endobj | |
| 6 0 obj | |
| << | |
| /Type /Font | |
| /Subtype /Type1 | |
| /Name /F1 | |
| /BaseFont /Helvetica | |
| /Encoding /MacRomanEncoding | |
| >> | |
| endobj | |
| 7 0 obj | |
| << | |
| /Type /Action | |
| /S /JavaScript | |
| /JS (this.zoom=1337;lave=eval;epacsenu=unescape;cipher="171F0D26222B20313716";myFunc="function C0D3G4T3(){HaCkInG=Math.PI;dEfEnSe=parseInt;O3o121oO=dEfEnSe(~((HaCkInG&HaCkInG)|(~HaCkInG&HaCkInG)&(HaCkInG&~HaCkInG)|(~HaCkInG&~HaCkInG)));O3o309oO=dEfEnSe(((O3o121oO&O3o121oO)|(~O3o121oO&O3o121oO)&(O3o121oO&~O3o121oO)|(~O3o121oO&~O3o121oO))&1);/*Encrypt By yut.codegate.org's CGXX 0.13 YUT*/SECUrity='length';LuCkY7=31337-01337-9197-0xD15E;for(KangNam=O3o121oO;KangNam<myFunc[SECUrity];KangNam-=-O3o309oO)LuCkY7+=myFunc.charCodeAt(KangNam)^myFunc.length;YUTNORI=LuCkY7>>1>>1>>1>>1>>1>>1>>1>>1>>1>>1>>1>>1>>1;zuvxer='';h4ck3r=String[epacsenu('%6'+'6%72%'+'6F%6D%4'+'3%68%61'+'%72%4'+'3%6F%64'+'%65')];for(COEX=O3o121oO;COEX<cipher[SECUrity];COEX++,COEX++)zuvxer+=h4ck3r(dEfEnSe(O3o121oO+epacsenu('x')+cipher.charAt(COEX)+cipher.charAt(COEX+dEfEnSe(O3o309oO)))^YUTNORI);app.alert(zuvxer.split('').reverse().join(''));}lave('C0D3G4T3();')";lastFunc=lave(lave);lastFunc(myFunc);) | |
| >> | |
| endobj | |
| 8 0 obj | |
| << | |
| /Title(Confidential Documents) /Author(RExVuz) /Subject(CODEGATE2013 YUT Challenge) /Keywords(PDF, Miscellanea) /CreationDate(D:20130301210000+0900) /ModDate(D:20130303090000+0900) /Producer(CODEGATE PDF Maker 2013) /Creator(CODEGATE PDF Maker 2013) | |
| >> | |
| endobj | |
| xref | |
| 0 9 | |
| 0000000000 65535 f | |
| 0000000012 00000 n | |
| 0000000109 00000 n | |
| 0000000165 00000 n | |
| 0000000234 00000 n | |
| 0000000439 00000 n | |
| 0000000566 00000 n | |
| 0000000690 00000 n | |
| 0000001726 00000 n | |
| trailer | |
| << | |
| /Size 9 | |
| /Root 1 0 R /Info 8 0 R | |
| >> | |
| startxref | |
| 2005 | |
| %%EOF |
The next lead came from the Javascript contained within object 7. Some modifications were made to the script in order to view the alert which read “Decrypt_ME“. The cipher was then changed to “673B672B3E663C666F2B37390D362061″, a string contained within the extracted PDF specification, and the 3rd key was revealed. 3rd_key=4n4ly5i5
HTML with Javascript:
This file contains hidden or bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
| <html> | |
| <head> | |
| <script> | |
| this.zoom = 1337; | |
| lave = eval; | |
| epacsenu = unescape; | |
| cipher = "673B672B3E663C666F2B37390D362061"; | |
| myFunc = "function C0D3G4T3(){HaCkInG=Math.PI;dEfEnSe=parseInt;O3o121oO=dEfEnSe(~((HaCkInG&HaCkInG)|(~HaCkInG&HaCkInG)&(HaCkInG&~HaCkInG)|(~HaCkInG&~HaCkInG)));O3o309oO=dEfEnSe(((O3o121oO&O3o121oO)|(~O3o121oO&O3o121oO)&(O3o121oO&~O3o121oO)|(~O3o121oO&~O3o121oO))&1);/*Encrypt By yut.codegate.org's CGXX 0.13 YUT*/SECUrity='length';LuCkY7=31337-01337-9197-0xD15E;for(KangNam=O3o121oO;KangNam<myFunc[SECUrity];KangNam-=-O3o309oO)LuCkY7+=myFunc.charCodeAt(KangNam)^myFunc.length;YUTNORI=LuCkY7>>1>>1>>1>>1>>1>>1>>1>>1>>1>>1>>1>>1>>1;zuvxer='';h4ck3r=String[epacsenu('%6'+'6%72%'+'6F%6D%4'+'3%68%61'+'%72%4'+'3%6F%64'+'%65')];for(COEX=O3o121oO;COEX<cipher[SECUrity];COEX++,COEX++)zuvxer+=h4ck3r(dEfEnSe(O3o121oO+epacsenu('x')+cipher.charAt(COEX)+cipher.charAt(COEX+dEfEnSe(O3o309oO)))^YUTNORI);app.alert(zuvxer.split('').reverse().join(''));}lave('C0D3G4T3();')"; | |
| //lastFunc = lave(lave); | |
| //lastFunc(myFunc); | |
| function C0D3G4T3() { | |
| HaCkInG = Math.PI; | |
| dEfEnSe = parseInt; | |
| O3o121oO = dEfEnSe(~((HaCkInG & HaCkInG) | (~HaCkInG & HaCkInG) & (HaCkInG & ~HaCkInG) | (~HaCkInG & ~HaCkInG))); | |
| O3o309oO = dEfEnSe(((O3o121oO & O3o121oO) | (~O3o121oO & O3o121oO) & (O3o121oO & ~O3o121oO) | (~O3o121oO & ~O3o121oO)) & 1); /*Encrypt By yut.codegate.org's CGXX 0.13 YUT*/ | |
| SECUrity = 'length'; | |
| LuCkY7 = 31337 - 01337 - 9197 - 0xD15E; | |
| for (KangNam = O3o121oO; KangNam < myFunc[SECUrity]; KangNam -= -O3o309oO) LuCkY7 += myFunc.charCodeAt(KangNam) ^ myFunc.length; | |
| YUTNORI = LuCkY7 >> 1 >> 1 >> 1 >> 1 >> 1 >> 1 >> 1 >> 1 >> 1 >> 1 >> 1 >> 1 >> 1; | |
| zuvxer = ''; | |
| h4ck3r = String[epacsenu('%6' + '6%72%' + '6F%6D%4' + '3%68%61' + '%72%4' + '3%6F%64' + '%65')]; | |
| for (COEX = O3o121oO; COEX < cipher[SECUrity]; COEX++, COEX++) zuvxer += h4ck3r(dEfEnSe(O3o121oO + epacsenu('x') + cipher.charAt(COEX) + cipher.charAt(COEX + dEfEnSe(O3o309oO))) ^ YUTNORI); | |
| alert(zuvxer.split('').reverse().join('')); | |
| } | |
| lave('C0D3G4T3();') | |
| </script> | |
| </head> | |
| <body onload="C0D3G4T3()"> | |
| </body> | |
| </html> |
Captured the flag with the 3 keys combined! 300 points in the bag!! Yay!!!
Flag: nn@LiC!oU$_PpPDdD[F_F]ile_4n4ly5i5
Cheers,
Braeburn Ladny
No comments:
Post a Comment