CTFtime.org

Don't let it run

by mcmayhem / mcmayhem

Rating:

# Don't let it run

## Challenge:

PDF documents can contain unusual objects within.

## Solution:

If we run `strings` on the PDF we don’t find a flag, but we do see some embedded JavaScript:

```bash
3 0 obj
/Type /Action
/S /JavaScript
/JS <766172205F3078346163393D5B2736363361435968594B272C273971776147474F272C276C6F67272C273150744366746D272C27313036387552596D7154272C27646374667B7064665F316E6A33637433647D272C273736383537376A6868736272272C2737313733343268417A4F4F51272C27373232353133504158436268272C2738333339383950514B697469272C27313434373836335256636E546F272C2731323533353356746B585547275D3B2866756E6374696F6E285F30783362316636622C5F3078316164386237297B766172205F30783536366565323D5F3078353334373B7768696C652821215B5D297B7472797B766172205F30783237353061353D7061727365496E74285F307835363665653228307831366529292B2D7061727365496E74285F307835363665653228307831366429292B7061727365496E74285F307835363665653228307831366329292B2D7061727365496E74285F307835363665653228307831373329292A2D7061727365496E74285F307835363665653228307831373129292B7061727365496E74285F307835363665653228307831373229292A2D7061727365496E74285F307835363665653228307831366129292B7061727365496E74285F307835363665653228307831366629292A7061727365496E74285F307835363665653228307831373529292B2D7061727365496E74285F307835363665653228307831373029293B6966285F30783237353061353D3D3D5F307831616438623729627265616B3B656C7365205F30783362316636625B2770757368275D285F30783362316636625B277368696674275D2829293B7D6361746368285F3078353736346134297B5F30783362316636625B2770757368275D285F30783362316636625B277368696674275D2829293B7D7D7D285F3078346163392C3078386439376629293B66756E6374696F6E205F30786128297B766172205F30783363366432303D5F3078353334373B636F6E736F6C655B5F3078336336643230283078313734295D285F307833633664323028307831366229293B7D76617220613D27626B706F646E746A636F7073796D6C78656977686F6E7374796B787372707A79272C623D2765787262737071717573746E7A717269756C697A70656565787771736F666D77273B5F30786228612C62293B66756E6374696F6E205F307835333437285F30783337646533352C5F3078313961633236297B5F30783337646533353D5F30783337646533352D30783136613B766172205F30783461633965613D5F3078346163395B5F30783337646533355D3B72657475726E205F30783461633965613B7D66756E6374696F6E205F307862285F30783339623365652C5F3078666165353433297B766172205F30783235393932333D5F30783339623365652B5F30786661653534333B5F30786128293B7D0A>
endobj
```

If we decode the hex, we get the JavaScript code:

```javascript
(function(_0x3b1f6b, _0x1ad8b7) {
var _0x566ee2 = _0x5347;
while (!![]) {
try {
var _0x2750a5 = parseInt(_0x566ee2(0x16e)) + -parseInt(_0x566ee2(0x16d)) + parseInt(_0x566ee2(0x16c)) + -parseInt(_0x566ee2(0x173)) * -parseInt(_0x566ee2(0x171)) + parseInt(_0x566ee2(0x172)) * -parseInt(_0x566ee2(0x16a)) + parseInt(_0x566ee2(0x16f)) * parseInt(_0x566ee2(0x175)) + -parseInt(_0x566ee2(0x170));
if (_0x2750a5 === _0x1ad8b7) break;
else _0x3b1f6b['push'](_0x3b1f6b['shift']());
} catch (_0x5764a4) {
_0x3b1f6b['push'](_0x3b1f6b['shift']());
}
}
}(_0x4ac9, 0x8d97f));

function _0xa() {
var _0x3c6d20 = _0x5347;
console[_0x3c6d20(0x174)](_0x3c6d20(0x16b));
}
var a = 'bkpodntjcopsymlxeiwhonstykxsrpzy',
b = 'exrbspqqustnzqriulizpeeexwqsofmw';
_0xb(a, b);

function _0x5347(_0x37de35, _0x19ac26) {
_0x37de35 = _0x37de35 - 0x16a;
var _0x4ac9ea = _0x4ac9[_0x37de35];
return _0x4ac9ea;
}

function _0xb(_0x39b3ee, _0xfae543) {
var _0x259923 = _0x39b3ee + _0xfae543;
_0xa();
}
```

And running this code prints our flag: `dctf{pdf_1nj3ct3d}`.

Original writeup (https://github.com/mcmahoniel/ctf_write-ups/blob/main/2021/dctf/misc/dont_let_it_run/README.md).

Comments