hackerdna | Hacking Labs /PDF Trap

Step 1: Click on the green button to Start the Lab

Step 2: Hack the URL or IP of the lab

Step 3: Use your skills and logic to find the flags!

Need help to start?

Daily Challenge

PDF Trap - Complete Solution Walkthrough

Download challenge.pdf from the challenge page to your local machine.
First, let's examine the PDF using basic tools. Open a terminal and navigate to the directory containing the PDF.
Use file challenge.pdf to confirm it's a valid PDF file.
Run pdfinfo challenge.pdf to view basic metadata information. This will show you the document properties, creation date, and other standard metadata fields.
Use strings challenge.pdf | grep -i flag to search for any obvious references to flags in the file.

Install and use pdf-parser.py from the pdf-tools suite: python3 pdf-parser.py challenge.pdf
This will show you all PDF objects, their types, and their relationships. Look for objects that might contain hidden data.
Alternatively, use pdfid.py challenge.pdf to get a quick overview of PDF elements and potential security issues.
Examine the PDF structure more closely with: python3 pdf-parser.py -a challenge.pdf to see all objects with their content.
Look specifically for objects with unusual names, custom metadata fields, or embedded streams that might contain the flag.

Use exiftool challenge.pdf to examine all metadata fields, including custom ones that might contain the flag.
Search for custom metadata fields: exiftool -a -u challenge.pdf to show all tags including unknown ones.
Look for a custom field named /CustomFlag in the PDF metadata.
You can also use pdf-parser.py to search for custom fields: python3 pdf-parser.py challenge.pdf | grep -i custom
The flag is stored in a custom metadata field with escaped characters: /CustomFlag (ca36830f\0555bc4\0554cdb\055a0ca\055fde5bb1132bd)

Once you find the /CustomFlag field, you'll see the value: ca36830f\0555bc4\0554cdb\055a0ca\055fde5bb1132bd
The \055 sequences are escaped hyphens in the PDF format. Each \055 represents a hyphen character.
To decode the flag, replace all \055 sequences with hyphens: ca36830f-5bc4-4cdb-a0ca-fde5bb1132bd
This gives you the final flag: ca36830f-5bc4-4cdb-a0ca-fde5bb1132bd
You can use a simple command to decode it: echo "ca36830f\0555bc4\0554cdb\055a0ca\055fde5bb1132bd" | sed 's/\\055/-/g'

Using Peepdf: Run peepdf challenge.pdf and use the interactive commands to explore the PDF structure and metadata.
Using PDFtk: Extract metadata with pdftk challenge.pdf dump_data to see all document information including custom fields.
Using QPDF: Analyze with qpdf --show-pages challenge.pdf to see page information and objects.
Manual hex analysis: Open the PDF in a hex editor like HxD or 010 Editor and search for the string "CustomFlag" or the UUID pattern.
Using Python scripts: Write custom Python scripts using libraries like PyPDF2 or pdfrw to programmatically extract custom metadata fields.
Using strings command: strings challenge.pdf | grep -i customflag to find the custom field directly.

PDF Custom Metadata: PDF files can contain custom metadata fields that are not part of the standard PDF specification. These fields can be used to store hidden data.
Character Escaping: In PDF format, certain characters like hyphens are escaped using octal notation (\055 for hyphen). This is a common technique to hide data in plain sight.
Hidden Data Techniques: Attackers can hide data in PDF custom metadata fields, embedded streams, annotations, or unused object spaces to evade detection.
Forensic Analysis: PDF forensics involves examining the internal structure, metadata, and embedded objects to uncover hidden information.
Data Exfiltration: Malicious actors often use PDF files to exfiltrate data by embedding it in custom metadata fields or compressed streams.
Detection Methods: Security professionals use specialized tools to analyze PDF files for hidden content, unusual metadata, or embedded malicious code.
Best Practices: Always scan PDF files with multiple tools, examine metadata thoroughly, and be suspicious of PDFs from untrusted sources.