Rating:

[Link to original writeup](https://wrecktheline.com/writeups/imaginary-2021/#Chimaera_Forensics)

# Chimaera (8 solves, 300 points)
by adragos

We are given a PDF file named chimaera.pdf, when we open it in a normal PDF viewer we only get a red flag.

Trying the file command on the file shows us that:

```
$ file chimaera.pdf
chimaera.pdf: ELF 64-bit LSB executable, x86-64, version 1 (SYSV), statically linked, stripped
```

So the file is a ELF 64-bit binary, let's try to run it:

```
$ ./chimaera.pdf
ictf{thr33_
```

Looks like we got the first part of the flag

Next, we can use pdf2txt to find out if there are any characters hidden inside the pdf:

```
$ pdf2txt chimaera.pdf
jctf{red_flags_are_fake_flags}

h34ds_l

```

And it looks like we got the 2nd part of the flag, we now have `ictf{thr33_h34ds_l}`

Running binwalk on the file:

```
$ binwalk chimaera.pdf

DECIMAL HEXADECIMAL DESCRIPTION
--------------------------------------------------------------------------------
0 0x0 ELF, 64-bit LSB executable, AMD x86-64, version 1 (SYSV)
600 0x258 Zip archive data, at least v1.0 to extract, compressed size: 5139, uncompressed size: 5139, name: chimaera.pdf

```

So there's a zip file, if we unzip it with 7-zip we get only a pdf file and a fake flag.

Let's look closely:

```
00001490: 5f66 6c61 6773 7d50 4b03 040a 0000 000d _flags}PK.......
000014a0: 0000 0000 000d c613 9321 0000 000d 0000 .........!......
000014b0: 0000 0000 0009 0405 005d 0000 8000 0018 .........]......
000014c0: 9ac2 6601 8f45 607e c89c e051 6589 87dc ..f..E`~...Qe...
000014d0: ffff 072c 0000 504b 0102 0a00 0000 0000 ...,..PK........
```

Seems like there is another piece of data which appears to be corrupted, let's isolate it

```
00000000: 504b 0304 0a00 0000 0d00 0000 0000 0dc6 PK..............
00000010: 1393 2100 0000 0d00 0000 0000 0000 0904 ..!.............
00000020: 0500 5d00 0080 0000 189a c266 018f 4560 ..]........f..E`
00000030: 7ec8 9ce0 5165 8987 dcff ff07 2c00 00 ~...Qe......,..
```

Notice that the compression method is 0x0d = 13, which per this table:

```
4.4.5 compression method: (2 bytes)

0 - The file is stored (no compression)
1 - The file is Shrunk
2 - The file is Reduced with compression factor 1
3 - The file is Reduced with compression factor 2
4 - The file is Reduced with compression factor 3
5 - The file is Reduced with compression factor 4
6 - The file is Imploded
7 - Reserved for Tokenizing compression algorithm
8 - The file is Deflated
9 - Enhanced Deflating using Deflate64(tm)
10 - PKWARE Data Compression Library Imploding (old IBM TERSE)
11 - Reserved by PKWARE
12 - File is compressed using BZIP2 algorithm
13 - Reserved by PKWARE
14 - LZMA
15 - Reserved by PKWARE
16 - IBM z/OS CMPSC Compression
17 - Reserved by PKWARE
18 - File is compressed using IBM TERSE (new)
19 - IBM LZ77 z Architecture
20 - deprecated (use method 93 for zstd)
93 - Zstandard (zstd) Compression
94 - MP3 Compression
95 - XZ Compression
96 - JPEG variant
97 - WavPack compressed data
98 - PPMd version I, Rev 1
99 - AE-x encryption marker (see APPENDIX E)
```

Is not really a valid compression method. I changed the compression method to LZMA because it was closer to it and when decompressing with 7-zip we get the last piece of the flag:

The "good" zip file:

```
00000000: 504b 0304 0a00 0000 0e00 0000 0000 0dc6 PK..............
00000010: 1393 2100 0000 0d00 0000 0000 0000 0904 ..!.............
00000020: 0500 5d00 0080 0000 189a c266 018f 4560 ..]........f..E`
00000030: 7ec8 9ce0 5165 8987 dcff ff07 2c00 00 ~...Qe......,..
```

The third piece of the flag: `1k3_kerber0s}`

The final flag: `ictf{thr33_h34ds_l1k3_kerber0s}`

Original writeup (https://wrecktheline.com/writeups/imaginary-2021/#Chimaera_Forensics).