CTFtime.org

Don't let it run

by cieran / {The NaN Squad}

Rating:

## Don't Let It Run (100 Points)

### Problem
```
PDF documents can contain unusual objects within.

file: dragon.pdf
```

### Solution
We're given a PDF with nothing but a black background with the DragonSec green pixelated dragon on it.
After inspecting the PDF data we see an encoded JavaScript block.

```
/JS <766172205F3078346163393D5B2736363361435968594B272C273971776147474F272C276C6
F67272C273150744366746D272C27313036387552596D7154272C27646374667B7064665F316E6A3
3637433647D272C273736383537376A6868736272272C2737313733343268417A4F4F51272C27373
232353133504158436268272C2738333339383950514B697469272C27313434373836335256636E5
46F272C2731323533353356746B585547275D3B2866756E6374696F6E285F30783362316636622C5
F3078316164386237297B766172205F30783536366565323D5F3078353334373B7768696C6528212
15B5D297B7472797B766172205F30783237353061353D7061727365496E74285F307835363665653
228307831366529292B2D7061727365496E74285F307835363665653228307831366429292B70617
27365496E74285F307835363665653228307831366329292B2D7061727365496E74285F307835363
665653228307831373329292A2D7061727365496E74285F307835363665653228307831373129292
B7061727365496E74285F307835363665653228307831373229292A2D7061727365496E74285F307
835363665653228307831366129292B7061727365496E74285F30783536366565322830783136662
9292A7061727365496E74285F307835363665653228307831373529292B2D7061727365496E74285
F307835363665653228307831373029293B6966285F30783237353061353D3D3D5F3078316164386
23729627265616B3B656C7365205F30783362316636625B2770757368275D285F307833623166366
25B277368696674275D2829293B7D6361746368285F3078353736346134297B5F307833623166366
25B2770757368275D285F30783362316636625B277368696674275D2829293B7D7D7D285F3078346
163392C3078386439376629293B66756E6374696F6E205F30786128297B766172205F30783363366
432303D5F3078353334373B636F6E736F6C655B5F3078336336643230283078313734295D285F307
833633664323028307831366229293B7D76617220613D27626B706F646E746A636F7073796D6C786
56977686F6E7374796B787372707A79272C623D2765787262737071717573746E7A717269756C697
25B277368696674275D2829293B7D6361746368285F3078353736346134297B5F307833623166366
25B2770757368275D285F30783362316636625B277368696674275D2829293B7D7D7D285F3078346
163392C3078386439376629293B66756E6374696F6E205F30786128297B766172205F30783363366
432303D5F3078353334373B636F6E736F6C655B5F3078336336643230283078313734295D285F307
833633664323028307831366229293B7D76617220613D27626B706F646E746A636F7073796D6C786
56977686F6E7374796B787372707A79272C623D2765787262737071717573746E7A717269756C697
A70656565787771736F666D77273B5F30786228612C62293B66756E6374696F6E205F30783533343
7285F30783337646533352C5F3078313961633236297B5F30783337646533353D5F3078333764653
3352D30783136613B766172205F30783461633965613D5F3078346163395B5F30783337646533355
D3B72657475726E205F30783461633965613B7D66756E6374696F6E205F307862285F30783339623
365652C5F3078666165353433297B766172205F30783235393932333D5F30783339623365652B5F3
0786661653534333B5F30786128293B7D0A>
>>
```

This is just hexadecimal. Let's convert it.

```
(var _0x4ac9=['663aCYhYK','9qwaGGO','log','1PtCftm','1068uRYmqT','dctf{pdf_1nj3ct3d}','768577jhhsbr','717342hAzOOQ','722513PAXCbh','833989PQKiti','1447863RVcnTo','125353VtkXUG'];\(function\(_0x3b1f6b,_0x1ad8b7\){var _0x566ee2=_0x5347;while\(!![]\){try{var _0x2750a5=parseInt\(_0x566ee2\(0x16e\)\)+-parseInt\(_0x566ee2\(0x16d\)\)+parseInt\(_0x566ee2\(0x16c\)\)+-parseInt\(_0x566ee2\(0x173\)\)*-parseInt\(_0x566ee2\(0x171\)\)+parseInt\(_0x566ee2\(0x172\)\)*-parseInt\(_0x566ee2\(0x16a\)\)+parseInt\(_0x566ee2\(0x16f\)\)*parseInt\(_0x566ee2\(0x175\)\)+-parseInt\(_0x566ee2\(0x170\)\);if\(_0x2750a5===_0x1ad8b7\)break;else _0x3b1f6b['push']\(_0x3b1f6b['shift']\(\)\);}catch\(_0x5764a4\){_0x3b1f6b['push']\(_0x3b1f6b['shift']\(\)\);}}}\(_0x4ac9,0x8d97f\)\);function _0xa\(\){var _0x3c6d20=_0x5347;console[_0x3c6d20\(0x174\)]\(_0x3c6d20\(0x16b\)\);}var a='bkpodntjcopsymlxeiwhonstykxsrpzy',b='exrbspqqustnzqriulizpeeexwqsofmw';_0xb\(a,b\);function _0x5347\(_0x37de35,_0x19ac26\){_0x37de35=_0x37de35-0x16a;var _0x4ac9ea=_0x4ac9[_0x37de35];return _0x4ac9ea;}function _0xb\(_0x39b3ee,_0xfae543\){var _0x259923=_0x39b3ee+_0
xfae543;_0xa\(\);}\n) /S /JavaScript /Type /Action
```

Easy peasy, the flag is right in front of us.

Flag: `dctf{pdf_1nj3ct3d}`

Original writeup (https://github.com/cieran/writeups/blob/main/DragonCTF/misc/DontLetItRun.md).

Comments