Tags: forensics crypto binwalk cryptography 


# Teg Rads - Forensics

Author - [Sanjay Baskaran](http://github.com/sanjaybaskaran01)

Tag : Forensics , Cryptography

Requirements: Binwalk

(If any of the images aren't loading, please check the original [writeup](https://github.com/csivitu/CTF-Write-ups/tree/master/Deconstruct.f/Forensics/Teg%20Rads))

## Source

Most of the times, what you seek is deep within the user. It starts with a writer, carries on with an actor and ends with a producer.

## Exploit

Investigating the given pdf `fdp.pdf`, in an attempt to find hidden texts in the pdf trying `CTRL+A` gives us


`dsc{f0r3n51x_15_fun} dsc{n0t_h3r3_31th3r} 1 dsc{n1c3_try} 1 dsc{f00t_n0t3} would just be too obvious`
and ofcourse none of them were the flags.

Running the command `strings fdp.pdf` gave us


which seem to be a base64 encoded string, since the description of the challenge says `It starts with a writer, carries on with an actor and ends with a producer` this meant that the producer is the last part of the flag


and decoding it got us `b4nn3d}` , which looks like the last part of the flag! diving more into the `strings` of the file we see


Which seems to be an URI encoded component and decoding it gives us


`dsc{public_` the first part of the flag.

Scrolling down further on strings we find the third part of the flag


Decoding the binary we get `0f_`


This text in strings informs us that there are 5 parts of the flag.


and towards the end of the `strings` we find this


which gives us the 2nd part of the flag and tells us that there is a hidden directory containing 4th part of the flag.

Decoding the 2nd part gives us `d15pl4y_`


Running binwalk on the pdf and navigating to the 4th part of the flag we find a text file


Decoding the 4th part of the flag in Vigenere Cipher with key as "alexa" (Since alexa is creator of the PDF)



We finally get all parts of the flag!

The flag is:


Original writeup (https://github.com/csivitu/CTF-Write-ups/tree/master/Deconstruct.f/Forensics/Teg%20Rads).