Avatar

Labs / PDF Trap

  • Daily Challenge
  • Released 11 Jul 2025
The lab needs to be started first.
Need help to start?
Daily Challenge

PDF Trap - Complete Solution Walkthrough

Step 1: Initial PDF Analysis

  1. Download challenge.pdf from the challenge page to your local machine.
  2. First, let's examine the PDF using basic tools. Open a terminal and navigate to the directory containing the PDF.
  3. Use file challenge.pdf to confirm it's a valid PDF file.
  4. Run pdfinfo challenge.pdf to view basic metadata information. This will show you the document properties, creation date, and other standard metadata fields.
  5. Use strings challenge.pdf | grep -i flag to search for any obvious references to flags in the file.

Step 2: Deep PDF Structure Analysis

  1. Install and use pdf-parser.py from the pdf-tools suite: python3 pdf-parser.py challenge.pdf
  2. This will show you all PDF objects, their types, and their relationships. Look for objects that might contain hidden data.
  3. Alternatively, use pdfid.py challenge.pdf to get a quick overview of PDF elements and potential security issues.
  4. Examine the PDF structure more closely with: python3 pdf-parser.py -a challenge.pdf to see all objects with their content.
  5. Look specifically for objects with unusual names, custom metadata fields, or embedded streams that might contain the flag.

Step 3: Discovering the Custom Flag Field

  1. Use exiftool challenge.pdf to examine all metadata fields, including custom ones that might contain the flag.
  2. Search for custom metadata fields: exiftool -a -u challenge.pdf to show all tags including unknown ones.
  3. Look for a custom field named /CustomFlag in the PDF metadata.
  4. You can also use pdf-parser.py to search for custom fields: python3 pdf-parser.py challenge.pdf | grep -i custom
  5. The flag is stored in a custom metadata field with escaped characters: /CustomFlag (ca36830f\0555bc4\0554cdb\055a0ca\055fde5bb1132bd)

Step 4: Extracting and Decoding the Flag

  1. Once you find the /CustomFlag field, you'll see the value: ca36830f\0555bc4\0554cdb\055a0ca\055fde5bb1132bd
  2. The \055 sequences are escaped hyphens in the PDF format. Each \055 represents a hyphen character.
  3. To decode the flag, replace all \055 sequences with hyphens: ca36830f-5bc4-4cdb-a0ca-fde5bb1132bd
  4. This gives you the final flag: ca36830f-5bc4-4cdb-a0ca-fde5bb1132bd
  5. You can use a simple command to decode it: echo "ca36830f\0555bc4\0554cdb\055a0ca\055fde5bb1132bd" | sed 's/\\055/-/g'

Alternative Methods and Tools

  • Using Peepdf: Run peepdf challenge.pdf and use the interactive commands to explore the PDF structure and metadata.
  • Using PDFtk: Extract metadata with pdftk challenge.pdf dump_data to see all document information including custom fields.
  • Using QPDF: Analyze with qpdf --show-pages challenge.pdf to see page information and objects.
  • Manual hex analysis: Open the PDF in a hex editor like HxD or 010 Editor and search for the string "CustomFlag" or the UUID pattern.
  • Using Python scripts: Write custom Python scripts using libraries like PyPDF2 or pdfrw to programmatically extract custom metadata fields.
  • Using strings command: strings challenge.pdf | grep -i customflag to find the custom field directly.

Technical Details and Security Implications

  • PDF Custom Metadata: PDF files can contain custom metadata fields that are not part of the standard PDF specification. These fields can be used to store hidden data.
  • Character Escaping: In PDF format, certain characters like hyphens are escaped using octal notation (\055 for hyphen). This is a common technique to hide data in plain sight.
  • Hidden Data Techniques: Attackers can hide data in PDF custom metadata fields, embedded streams, annotations, or unused object spaces to evade detection.
  • Forensic Analysis: PDF forensics involves examining the internal structure, metadata, and embedded objects to uncover hidden information.
  • Data Exfiltration: Malicious actors often use PDF files to exfiltrate data by embedding it in custom metadata fields or compressed streams.
  • Detection Methods: Security professionals use specialized tools to analyze PDF files for hidden content, unusual metadata, or embedded malicious code.
  • Best Practices: Always scan PDF files with multiple tools, examine metadata thoroughly, and be suspicious of PDFs from untrusted sources.

Learning Outcomes

  • Understanding of PDF file structure and custom metadata fields
  • Proficiency in using forensic tools for PDF analysis
  • Knowledge of character escaping techniques in PDF format
  • Experience with multiple analysis methods and tools
  • Recognition of security implications of hidden data in documents
  • Development of systematic approach to forensic analysis
  • Understanding of how attackers use custom metadata for data hiding