$ zcat obj28.bin | tail -c 64 | hexdump -C 00000000 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 |................| 00000010 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 |................| 00000020 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 |................| 00000030 48 54 42 7b 31 30 34 32 5f 34 35 33 37 5f 62 34 |HTB1042_4537_b4......| We get the clear text – a flag format used by the Hack The Box community. 4.2 Object 37 – ASCII85 data $ pdf-parser -object 37 -raw 18pages.pdf > obj37.asc85 $ ascii85decode obj37.asc85 > obj37.bin $ strings -n 6 obj37.bin strings shows only a few generic words ( Page , Section , Lorem ), nothing useful. This was a decoy to mislead analysts. 4.3 Object 61 – “embedded PDF” $ pdf-parser -object 61 -raw 18pages.pdf > obj61.bin $ zcat obj61.bin > embedded.pdf $ pdfinfo embedded.pdf Pages: 1 The extracted PDF contains a single page that is a screenshot of a terminal with the line:
Category: Steganography / Forensics – PDF 1. Overview The challenge consists of a single file named 18pages.pdf (≈ 1 MB). The description on the challenge page simply says “18 Pages – Hdhub4u” and a point value of 300. 18 Pages Hdhub4u
$ pdf-parser -dump 18pages.pdf > pdf_objects.txt The dump revealed the following interesting points: $ zcat obj28
Thus the final flag for the challenge is: $ pdf-parser -dump 18pages
Our goal is to retrieve the hidden flag hidden somewhere inside the PDF. $ file 18pages.pdf 18pages.pdf: PDF document, version 1.7
> echo "The flag is hidden in the zero‑filled stream." Again, a hint directing us toward Object 28. The flag we extracted from Object 28 matches the typical format for the platform (HTB…).