Tags: steganography pdf 

Rating: 4.5

# NSA Whistleblower

We're provided with a [PDF file](https://github.com/dogelition/ctf-writeups/blob/master/2020/ALLES/NSA%20Whistleblower/NSA_leak.pdf) and the description "Psst... The most secret data is hidden in plain sight".

Unfortunately, we weren't able to solve this challenge during the CTF. We tried various PDF tools, inspected the images, looked for hidden stuff in the fonts, the text, etc. A few days after the CTF ended, we finally found the solution and realized how simple it actually was.

All you have to do is zoom in on the PDF or mess with the colors to realize that there are yellow dots all over the pages. A quick search for "yellow dots" leads to a [wikipedia article](https://en.wikipedia.org/wiki/Machine_Identification_Code), explaining that these dots are produced by certain printers (the provided PDF definitely hasn't been through a printer, but whatever...). We then found [deda](https://github.com/dfd-tud/deda) which can read the data encoded using these dots.

We can use `pdftoppm` to convert the PDF pages to .png images so that deda can read them:

```
pdftoppm NSA_leak.pdf nsa -png
```

This produces files named `nsa-1.png` through `nsa-8.png`.

We can now invoke deda on the images:

```
deda_parse_print nsa-1.png
```

Output:

```
Detected pattern 4

_|0|1|2|3|4|5|6|7
0|
1|.
2|.
3|. . .
4| . . .
5| . . .
6|.
7|.
8| . . .
9| .
0| .
1| .
2| .
3|.
4|. . .
5|. . .
27 dots.

<TDM of Pattern 4 at 0.00 x -0.00 inches>
Decoded:
manufacturer: Xerox
serial: -657676-
timestamp: 2042-02-04 04:20:00
raw: 0000657676000042020404040020
minutes: 20
hour: 04
day: 04
month: 02
year: 42
unknown1: 00
unknown3: 00
unknown4: 00
unknown5: 00
printer: 00657676
```

The timestamp basically just consists of the number `42`, so it's not very interesting. But the serial seems to be the first 3 characters of the flag (`ALL`), encoded in decimal! If we concatenate the serial numbers from all pages and put spaces in the right spots, we end up with this decimal sequence:

`65 76 76 69 83 123 115 51 99 114 51 116 95 100 48 116 115 125`

After decoding it using "From Decimal" on [CyberChef](https://gchq.github.io/CyberChef), we get the flag:

`ALLES{s3cr3t_d0ts}`

Original writeup (https://github.com/dogelition/ctf-writeups/blob/master/2020/ALLES/NSA%20Whistleblower/writeup.md).