Tags: forensics
Rating:
# the-flag-is (200)
## Problem
I have a flag! The flag is... wait... did my PDF editor not save the flag? OH NO! I remember typing it in, can you help me find it?
(Attachments: files/flag.pdf)
## Solution
Let's have a look at the file to see what we're dealing with.
```
$ cat flag.pdf
%PDF-1.3
1 0 obj << /Type /Catalog /Pages 2 0 R >>
endobj
2 0 obj << /Type /Pages /Kids [3 0 R] /Count 1 >>
endobj
3 0 obj << /Type /Page /Parent 2 0 R /MediaBox [0 0 612 792] /Resources << /Font << /F1 4 0 R >> >> /Contents 5 0 R >>
endobj
4 0 obj << /Type /Font /Subtype /Type1 /BaseFont /TimesNewRoman >>
endobj
5 0 obj << /Length 89 /Filter /ASCII85Decode >>
stream
6<#'\7PQ#?2BYt2+>GQ(+?(u.+B2ko-t6[p@ru=0A2%m[?SlCOFC-k60Qf<]0lB@!1JMFu2`,>XF\lU*2`#N'.3MT)+@T6~>
endstream
endobj
xref
0 5
0000000000 65535 f
0000000010 00000 n
0000000061 00000 n
0000000120 00000 n
0000000248 00000 n
0000000324 00000 n
trailer << /Size 5 /Root 1 0 R >>
startxref
500
%%EOF
5 0 obj << /Length 89 /Filter /ASCII85Decode >>
stream
6<#'\7PQ#?2BYt2+>GQ(+?(u.+B2ko-rakk+D,FuB-:o0/hSb*+B3(u78s~>
endstream
endobj
xref
0 1
0000000000 65535 f
5 1
0000000691 00000 n
trailer << /Size 5 /Root 1 0 R /Prev 500 >>
startxref
831
%%EOF
```
These few lines particularly are interesting.
```
5 0 obj << /Length 89 /Filter /ASCII85Decode >>
stream
6<#'\7PQ#?2BYt2+>GQ(+?(u.+B2ko-t6[p@ru=0A2%m[?SlCOFC-k60Qf<]0lB@!1JMFu2`,>XF\lU*2`#N'.3MT)+@T6~>
```
It references ASCII 85 and gives us a string. Sure enough, when we decode it using ASCII 85, we get the flag.
```
-t6[p@ru=0A2%m[?SlCOFC-k60Qf<]0lB@!1JMFu2`,>XF\lU*2`#N'.3
(bcactf{d0n7_4g3t_4b0u7_1nCr3Men74l_uPd473s})
```
