Lab Icon

PDF Trap

Challenge 11 Jul 2025 Pro Exclusive Solution Available

Start the machine, hack the system, and find the hidden flags to complete this challenge and earn points!

1
Flags
5
Points
94%
Success Rate
Start Your Challenge
~1-2 min setup
Dedicated server
Private instance
Industry standard
This solution is for Flags Mode

This walkthrough explains how to hack the lab and capture the flags. For help with Learning Mode questions, use the Request Hint button next to each question.

Challenge

PDF Trap - Complete Solution Walkthrough

Step 1: Initial PDF Analysis

  1. Download challenge.pdf from the challenge page to your local machine.
  2. First, let's examine the PDF using basic tools. Open a terminal and navigate to the directory containing the PDF.
  3. Use file challenge.pdf to confirm it's a valid PDF file.
  4. Run pdfinfo challenge.pdf to view basic metadata information. This will show you the document properties, creation date, and other standard metadata fields.
  5. Use strings challenge.pdf | grep -i flag to search for any obvious references to flags in the file.

Step 2: Deep PDF Structure Analysis

  1. Install and use pdf-parser.py from the pdf-tools suite: python3 pdf-parser.py challenge.pdf
  2. This will show you all PDF objects, their types, and their relationships. Look for objects that might contain hidden data.
  3. Alternatively, use pdfid.py challenge.pdf to get a quick overview of PDF elements and potential security issues.
  4. Examine the PDF structure more closely with: python3 pdf-parser.py -a challenge.pdf to see all objects with their content.
  5. Look specifically for objects with unusual names, custom metadata fields, or embedded streams that might contain the flag.

Step 3: Discovering the Custom Flag Field

  1. Use exiftool challenge.pdf to examine all metadata fields, including custom ones that might contain the flag.
  2. Search for custom metadata fields: exiftool -a -u challenge.pdf to show all tags including unknown ones.
  3. Look for a custom field named /CustomFlag in the PDF metadata.
  4. You can also use pdf-parser.py to search for custom fields: python3 pdf-parser.py challenge.pdf | grep -i custom
  5. The flag is stored in a custom metadata field with escaped characters: /CustomFlag (ca36830f\0555bc4\0554cdb\055a0ca\055fde5bb1132bd)

Step 4: Extracting and Decoding the Flag

  1. Once you find the /CustomFlag field, you'll see the value: ca36830f\0555bc4\0554cdb\055a0ca\055fde5bb1132bd
  2. The \055 sequences are escaped hyphens in the PDF format. Each \055 represents a hyphen character.
  3. To decode the flag, replace all \055 sequences with hyphens: ca36830f-5bc4-4cdb-a0ca-fde5bb1132bd
  4. This gives you the final flag: ca36830f-5bc4-4cdb-a0ca-fde5bb1132bd
  5. You can use a simple command to decode it: echo "ca36830f\0555bc4\0554cdb\055a0ca\055fde5bb1132bd" | sed 's/\\055/-/g'

Alternative Methods and Tools

  • Using Peepdf: Run peepdf challenge.pdf and use the interactive commands to explore the PDF structure and metadata.
  • Using PDFtk: Extract metadata with pdftk challenge.pdf dump_data to see all document information including custom fields.
  • Using QPDF: Analyze with qpdf --show-pages challenge.pdf to see page information and objects.
  • Manual hex analysis: Open the PDF in a hex editor like HxD or 010 Editor and search for the string "CustomFlag" or the UUID pattern.
  • Using Python scripts: Write custom Python scripts using libraries like PyPDF2 or pdfrw to programmatically extract custom metadata fields.
  • Using strings command: strings challenge.pdf | grep -i customflag to find the custom field directly.

Technical Details and Security Implications

  • PDF Custom Metadata: PDF files can contain custom metadata fields that are not part of the standard PDF specification. These fields can be used to store hidden data.
  • Character Escaping: In PDF format, certain characters like hyphens are escaped using octal notation (\055 for hyphen). This is a common technique to hide data in plain sight.
  • Hidden Data Techniques: Attackers can hide data in PDF custom metadata fields, embedded streams, annotations, or unused object spaces to evade detection.
  • Forensic Analysis: PDF forensics involves examining the internal structure, metadata, and embedded objects to uncover hidden information.
  • Data Exfiltration: Malicious actors often use PDF files to exfiltrate data by embedding it in custom metadata fields or compressed streams.
  • Detection Methods: Security professionals use specialized tools to analyze PDF files for hidden content, unusual metadata, or embedded malicious code.
  • Best Practices: Always scan PDF files with multiple tools, examine metadata thoroughly, and be suspicious of PDFs from untrusted sources.

Learning Outcomes

  • Understanding of PDF file structure and custom metadata fields
  • Proficiency in using forensic tools for PDF analysis
  • Knowledge of character escaping techniques in PDF format
  • Experience with multiple analysis methods and tools
  • Recognition of security implications of hidden data in documents
  • Development of systematic approach to forensic analysis
  • Understanding of how attackers use custom metadata for data hiding