Rating:

# Printer Paper
Misc

## Challenge

We need to collect more of defund's math papers to gather evidence against him. See if you can find anything in the data packets we've intercepted from his printer.

Author: defund

## Hint

https://github.com/koenkooi/foo2zjs

## Solution

From the pcapng file open in Wireshark. We see these packets

Packet 2

sMFG:Hewlett-Packard;MDL:HP LaserJet P1505n;CMD:HBS,PJL,ACL,PCL;CLS:PRINTER;DES:HP LaserJet P1505n;FWVER:20100617;

Packet 9

%-12345X@PJL
@PJL JOB NAME = "paper.pdf" DISPLAY = "15 wiwang paper.pdf"
@PJL SET USERNAME = "wiwang"
@PJL SET DENSITY=3
@PJL SET JAMRECOVERY=OFF
@PJL SET ECONOMODE=OFF
@PJL SET RET=MEDIUM
%-12345X

There is a printer file after that between packet 15 and packet 27. I extracted it and concatted them together.

---

Searching online it is a HP XQX job.

- https://www.tachytelic.net/2010/10/hp-direct-pdf-printing-and-printer-tray-control/

The hint also shows us to the driver page. https://github.com/koenkooi/foo2zjs

FOO2XQX
-------
foo2xqx converts Ghostscript pbmraw to monochrome XQX streams, for
driving the HP LaserJet M1005 MFP and other XQX-based printers

Using XQX Decode, I got no useful information
http://manpages.ubuntu.com/manpages/xenial/man1/xqxdecode.1.html

# wget https://github.com/mikerr/foo2zjs/blob/master/xqxdecode
# ./xqxdecode -o -h < pkt.bin
0: XQX_MAGIC, 0x5851582c (,XQX)
4: XQX_START_DOC(1), 7 items
12: XQXI_0x80000000, 84 (0x54)
24: XQXI_0x10000005, 1 (0x1)
36: XQXI_0x10000001, 0 (0x0)
48: XQXI_DMDUPLEX, 0 (0x0)
60: XQXI_0x10000000, 0 (0x0)
72: XQXI_0x10000003, 1 (0x1)
84: XQXI_END, -559038737 (0xdeadbeef)
96: XQX_START_PAGE(3), 15 items [Page 1]
104: XQXI_0x80000000, 180 (0xb4)
116: XQXI_0x20000005, 1 (0x1)
128: XQXI_DMDEFAULTSOURCE, 7 (0x7)
140: XQXI_DMMEDIATYPE, 1 (0x1)
152: XQXI_0x20000007, 1 (0x1)
164: XQXI_RESOLUTION_X, 600 (0x258)
176: XQXI_RESOLUTION_Y, 600 (0x258)
188: XQXI_RASTER_X, 4800 (0x12c0)
200: XQXI_RASTER_Y, 6360 (0x18d8)
212: XQXI_VIDEO_BPP, 1 (0x1)
224: XQXI_VIDEO_X, 4800 (0x12c0)
236: XQXI_VIDEO_Y, 6360 (0x18d8)
248: XQXI_ECONOMODE, 0 (0x0)
260: XQXI_DMPAPER, 1 (0x1)
272: XQXI_END, -559038737 (0xdeadbeef)
284: XQX_START_PLANE(5), 4 items
292: XQXI_0x80000000, 64 (0x40)
304: XQXI_0x40000000, 0 (0x0)
316: XQXI_BIH(0x40000002)
DL = 0, D = 0, P = 1, - = 0, XY = 4800 x 6360
L0 = 128, MX = 0, MY = 0
Order = 3 ILEAVE SMID
Options = 92 LRLTWO TPDON TPBON DPON
50 stripes, 0 layers, 1 planes

344: XQXI_END, -559038737 (0xdeadbeef)
356: XQX_JBIG(7), 51881 items
52245: XQX_END_PLANE(6), 0 items
52253: XQX_END_PAGE(4), 0 items
52261: XQX_END_DOC(2), 0 items
Total size: 51881 bytes
0: \033%-12345X@PJL
14: @PJL RDYMSG DISPLAY = ""
39: @PJL EOJ
48: \033%-12345X

After which I decided to search around. I eventually found a software to render the print job (ZjStream protocol).

- https://www.prnwatch.com/ok-printer-viewer/

![Capture.PNG](Capture.PNG)

## Flag

actf{daniel_zhu_approves}

Original writeup (https://github.com/zst-ctf/angstromctf-2019-writeups/tree/master/Solved/Printer_Paper).