Kneel before Zod!admin
So last week we posted our first weekly challenge, A forensic challenge from our Zero Days CTF from a couple of years ago. Thanks to everyone for their submissions and solutions. We’ve decided to share the submission sent in to us by Leo Mulvany. Well done Leo. So hopefully everyone managed to solve the challenge yourself but let’s have a look at Leo’s submission.
By Leo Mulvany
The document zod.pdf contains only three words – ‘Kneel before Zod!. This is a famous quote from the 1980 movie ‘Superman II’ with Terence Stamp playing the role of arch-villain General Zod.
This challenge is pretty straightforward once we figure out what we are looking for. The first thing to notice about the PDF is its size – 22.1MB for a 3-word document. Copying and pasting the same phrase to Word and saving as a PDF gives a document only 25.8KB in size, so there is obviously something hidden inside that contains the flag. Opening it with Adobe Acrobat, we can see that there is an attachment inside called “1000.pdf”
Double-click on that attachment and we find another pdf inside that called “999.pdf”.
Saving either of these files shows that they are marginally smaller than the original document, so we can presume that there are around a thousand attachments, one wrapped within another like the kids’ game ‘pass the parcel’, before we can get to the flag. So, this challenge can be done manually with just Acrobat, simply clicking the attachments and saving every 50th document when the software complains that there are too many tabs open.
In a CTF, it would take a lot of time to do manually but it is probably easy points and could be handed off to a weaker team-member this way. If your captain asks you to do this, then you know where you stand. And get us three cappuccinos when you’re finished. Good lad!
As I can imagine a certain lecturer rolling his eyes after this suggestion, we’d better come up with something a bit more technical. And next time there could be 10,000 attachments or even a million – who will have time to get the coffee then? After a bit of research, there is a Linux command-line tool called ‘pdf toolkit’ that can extract pdf attachments but it seems to be deprecated. However, there is a Windows version – more info at: https://www.pdflabs.com/tools/pdftk-the-pdf-toolkit/
Install it and apart from a crappy, limited GUI in the free version, we also get a CLI version (which uses the same commands as the Linux version, in case anyone wants to manually install that). The command format ‘pdftk filename.pdf unpack_files’ extracts the attachment and save it in the current directory. So, if you didn’t save it earlier, extract the 1000.pdf file from the zod.pdf file: pdftk zod.pdf unpack_files
We can then write a simple CLI for-loop to extract 999.pdf from 1000.pdf, 998.pdf from 999.pdf, etc… a thousand times, from 1000 to 1:
for /l %x in (1000, -1, 1) do pdftk %x.pdf unpack_files
Remember that saving a thousand files will take up over 10GB of disk space (22MB x 1000, decreasing by around half as the size reduces towards zero). After running the script, we find that there are indeed a thousand new files inside, the second-last one being ‘1.pdf’, from which the attachment ‘flag.pdf’ is extracted, which does indeed contain the flag: