Suninatas Game 31

Posted on Edited on In Views: Disqus: Word count in article: 1k Reading time ≈ 4 mins.

challenges

Game 31

1
2
3
* Info : This PDF file don't attack your PC. Just using for study.
Analyze this PDF and Find a Flag.
Auth Key = lowercase(MD5(Flag))
1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44
45
46
47
48
49
50
51
52
53
54
55
56
57
58
59
60
61
62
63
64
65
66
67
68
69
70
71
72
73
74
75
76
77
78
79
80
81
82
83
84
85
86
87
88
89
90
91
92
93
94
95
96
97
98
99
100
101
102
103
104
105
106
107
108
109
110
111
112
113
114
115
116
117
118
119
120
121
122
123
124
125
126
127
128
129
130
131
132
133
134
135
136
137
138
139
140
141
142
143
144
145
146
147
148
149
150
151
152
153
154
155
156
157
158
159
160
161
162
163
164
165
166
167
168
169
170
171
172
173
174
175
176
177
178
179
❯ pdfid Hello_SuNiNaTaS.pdf
PDFiD 0.2.10 Hello_SuNiNaTaS.pdf
 PDF Header: %PDF-1.4
 obj                   40
 endobj                40
 stream                11
 endstream             11
 xref                   2
 trailer                2
 startxref              2
 /Page                  1
 /Encrypt               0
 /ObjStm                0
 /JS                    1 <-
 /JavaScript            2 <-
 /AA                    0
 /OpenAction            0
 /AcroForm              0
 /JBIG2Decode           0
 /RichMedia             0
 /Launch                0
 /EmbeddedFile          0 <-
 /XFA                   0
 /Colors > 2^24         0

❯ pdf-parser -h
 Options:
  -s SEARCH, --search=SEARCH
                        string to search in indirect objects (except streams)
  -f, --filter          pass stream object through filters (FlateDecode,
                        ASCIIHexDecode, ASCII85Decode, LZWDecode and
                        RunLengthDecode only)
  -o OBJECT, --object=OBJECT
                        id(s) of indirect object(s) to select, use comma (,)
                        to separate ids (version independent)
  -w, --raw             raw output for data and filters
  ...


❯ pdf-parser -s JavaScript Hello_SuNiNaTaS.pdf
This program has not been tested with this version of Python (3.14.2)
Should you encounter problems, please use Python version 3.12.2
obj 30 0
 Type:
 Referencing: 31 0 R, 38 0 R

  <<
    /JavaScript 31 0 R <-
    /EmbeddedFiles 38 0 R <- not scan in pdfid, but exist in pdf-parser, this is a nest object
  >>

obj 36 0
 Type:
 Referencing:

 ❯ pdf-parser -o 38 Hello_SuNiNaTaS.pdf
This program has not been tested with this version of Python (3.14.2)
Should you encounter problems, please use Python version 3.12.2
obj 38 0
 Type:
 Referencing: 40 0 R

  <<
    /Names
      <<
        /UF (object 2)
        /F (object 2)
        /Type /Filespec
        /EF 40 0 R
      >>
    ]
  >>

❯ pdf-parser -o 39 -f -d nested.pdf Hello_SuNiNaTaS.pdf
This program has not been tested with this version of Python (3.14.2)
Should you encounter problems, please use Python version 3.12.2
obj 39 0
 Type:
 Referencing:
 Contains stream <-

  <<
    /Subtype /a
    /Filter /FlateDecode
    /Length 565
    /DL 823
    /Params
      <<
        /Size 823
        /ModDate (D:20160525212830Z)
        /CreationDate (D:20160525213559Z)
      >>
  >>

❯ file nested.pdf
nested.pdf: PDF document, version 1.7, 1 page(s)

❯ pdfid nested.pdf
PDFiD 0.2.10 nested.pdf
 PDF Header: %PDF-1.7
 obj                    5
 endobj                 5
 stream                 1
 endstream              1
 xref                   1
 trailer                1
 startxref              1
 /Page                  1
 /Encrypt               1 <-!!
 /ObjStm                0
 /JS                    1 <-
 /JavaScript            1 <-
 /AA                    0
 /OpenAction            1 <-
 /AcroForm              0
 /JBIG2Decode           0
 /RichMedia             0
 /Launch                0
 /EmbeddedFile          0
 /XFA                   0
 /Colors > 2^24         0

 ~/Downloads took 3s
❯ qpdf --decrypt nested.pdf decrypted.pdf
❯ pdfid decrypted.pdf
PDFiD 0.2.10 decrypted.pdf
 PDF Header: %PDF-1.7
 obj                    5
 endobj                 5
 stream                 1
 endstream              1
 xref                   1
 trailer                1
 startxref              1
 /Page                  1
 /Encrypt               0
 /ObjStm                0
 /JS                    1
 /JavaScript            1
 /AA                    0
 /OpenAction            1
 /AcroForm              0
 /JBIG2Decode           0
 /RichMedia             0
 /Launch                0
 /EmbeddedFile          0
 /XFA                   0
 /Colors > 2^24         0

 ❯ pdf-parser -s js decrypted.pdf
This program has not been tested with this version of Python (3.14.2)
Should you encounter problems, please use Python version 3.12.2
obj 2 0
 Type: /Action
 Referencing: 4 0 R

  <<
    /JS 4 0 R <- Object 4 is a stream object
    /S /JavaScript
    /Type /Action
  >>

❯ pdf-parser -o 4 decrypted.pdf
This program has not been tested with this version of Python (3.14.2)
Should you encounter problems, please use Python version 3.12.2
obj 4 0
 Type:
 Referencing:
 Contains stream

  <<
    /Filter /FlateDecode
    /Length 45
  >>

❯ pdf-parser -o 4 -f -d dump decrypted.pdf

cat dump
"HERE IS FLAGS *********************"# omg flag is here, don't forget to md5 it
SunINatAsGOodWeLL!@#$

other way to waste time

1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
~/Downloads
❯ pdf-parser -o 35 -f -w Hello_SuNiNaTaS.pdf
This program has not been tested with this version of Python (3.14.2)
Should you encounter problems, please use Python version 3.12.2
obj 35 0
 Type:
 Referencing: 36 0 R, 37 0 R
<</S 36 0 R/JS 37 0 R>>

  <<
    /S 36 0 R
    /JS 37 0 R
  >>

<</S 36 0 R/JS 37 0 R>>


~/Downloads
❯ pdf-parser -o 37 -f -w Hello_SuNiNaTaS.pdf
This program has not been tested with this version of Python (3.14.2)
Should you encounter problems, please use Python version 3.12.2
obj 37 0
 Type:
 Referencing: 1 4 R
 Contains stream

  <<
    /Length 5220
  >>

 No filters


~/Downloads
❯ pdf-parser -o 37 -d payload.js Hello_SuNiNaTaS.pdf
1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
var Base64 = {
  _keyStr: "ABCDEFGHIJKLMNOPQRSTUVWXYZabcdefghijklmnopqrstuvwxyz0123456789+/=",
  decode: function (input) {
    for (var ah = 0; ah < input.length; ah++) {
      input = input.replace("'+'", "");
    }
    var rlLwarzv = "";
    var chr1, chr2, chr3;
    var enc1, enc2, enc3, enc4;
    var i = 0;
    input = input.replace(/[^A-Za-z0-9\+\/\=]/g, "");
    while (i < input.length) {
      enc1 = this._keyStr.indexOf(input.charAt(i++));
      enc2 = this._keyStr.indexOf(input.charAt(i++));
      enc3 = this._keyStr.indexOf(input.charAt(i++));
      enc4 = this._keyStr.indexOf(input.charAt(i++));
      chr1 = (enc1 << 2) | (enc2 >> 4);
      chr2 = ((enc2 & 15) << 4) | (enc3 >> 2);
      chr3 = ((enc3 & 3) << 6) | enc4;
      rlLwarzv = rlLwarzv + String.fromCharCode(chr1);
      if (enc3 != 64) {
        rlLwarzv = rlLwarzv + String.fromCharCode(chr2);
      }
      if (enc4 != 64) {
        rlLwarzv = rlLwarzv + String.fromCharCode(chr3);
      }
    }
    eval(rlLwarzv);
  },
};
Base64.decode(
  "'Vm0'+'wd2Qy'+'UXlW'+'a1pP'+'VldS'+'WFYw'+'ZG9WV'+'ll3W'+'kc5V'+'01Wb'+'DNXa2'+'M1VjF'+'Kc2JET'+'lhhMU'+'pUV'+'mpGS'+'2RHVk'+'dX'+'bFpOY'+'WtFe'+'FZtc'+'EdZV'+'1JIV'+'mtsa'+'QpSb'+'VJPW'+'W14R'+'00x'+'WnR'+'NWH'+'BsU'+'m1S'+'SVZ'+'tdF'+'dVZ'+'3Bp'+'Umx'+'wd1'+'ZXM'+'TRkM'+'VZX'+'WkZ'+'kYV'+'JGS'+'lVU'+'V3N'+'4Tk'+'ZaS'+'E5V'+'OVhR'+'WEJ'+'wVW'+'01Q'+'1dW'+'ZHNa'+'RFJa'+'ClYx'+'WlhWM'+'jVLVm1'+'FeVVtR'+'ldh'+'a1p'+'MVj'+'BaV'+'2RF'+'NVZ'+'PV2'+'hSV'+'0VK'+'VVd'+'XeG'+'FTM'+'VpX'+'V2t'+'kVm'+'EwN'+'VVD'+'azF'+'XV2'+'xoV'+'01X'+'aHZ'+'WMG'+'RLU'+'jJO'+'SVR'+'sWm'+'kKV'+'0do'+'NlZ'+'HeG'+'FZV'+'k5I'+'VWt'+'oU2'+'JXa'+'FdW'+'MFZ'+'LVl'+'ZkW'+'E1U'+'QlR'+'NV1'+'JYV'+'jI1'+'U2Fs'+'SllV'+'bkJEY'+'XpGV1'+'kwWm'+'9XR0'+'V4Y'+'0hK'+'V01'+'uTjN'+'aVmR'+'HUjJ'+'GRwp'+'WbGN'+'LWW'+'toQm'+'VsZH'+'NaR'+'FJa'+'Vms1'+'R1R'+'sWm'+'tZV'+'kp1U'+'WxkV'+'01GW'+'kxWb'+'FprV'+'0Ux'+'VVF'+'sUk'+'5WbH'+'BJVm'+'pKMG'+'ExZH'+'RWbk'+'pYYm'+'tKRV'+'lYcE'+'dWMW'+'t3Cl'+'dtOV'+'hSMF'+'Y1WV'+'VWN'+'FYw'+'MUh'+'Va3'+'hXT'+'VZw'+'WFl'+'6Rm'+'Fjd3'+'BqUj'+'J0T'+'FZXM'+'DFRM'+'kl4W'+'khOY'+'VJGS'+'mFWa'+'kZLU'+'1ZadG'+'RHOV'+'ZSbH'+'AxV'+'Vd4'+'a1Y'+'wMU'+'cKV'+'2t4'+'V2J'+'GcH'+'JWMG'+'RTU'+'jFw'+'SGR'+'FNV'+'diS'+'EJK'+'Vmp'+'KMF'+'lXS'+'XlS'+'WGh'+'UV0'+'dSW'+'Vlt'+'dGF'+'SVm'+'xzV'+'m5k'+'WFJ'+'sbD'+'VDb'+'VJI'+'T1Z'+'oU0'+'1GW'+'TFX'+'VlZ'+'hVT'+'FZeA'+'pTWH'+'BoU0'+'VwV1'+'lsaE'+'5lRl'+'pxUm'+'xkam'+'QzQn'+'FVak'+'owVE'+'ZaWE'+'1UUm'+'tNa'+'2w0'+'VjJ'+'4a1'+'ZtR'+'XlV'+'bGh'+'VVm'+'xae'+'lRr'+'WmF'+'kR1'+'ZJV'+'Gxw'+'V2E'+'zQj'+'VWa'+'ko0'+'CmE'+'xWX'+'lTb'+'lVL'+'VVc'+'1V1'+'ZXS'+'kZW'+'VFZ'+'WUm'+'tVN'+'VVG'+'RTl'+'QUT'+'09'",
);
1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
# in vim
# :set nobomb
# :set fileencoding=utf-8
# :wq

❯ node payload.js
Decoded content:
Vm0wd2QyVkZOVWRXV0doVVYwZG9WMVl3Wkc5V1JsbDNXa1JTVjFKdGVGWlZNakExVmpGYWRHVkli
RmROYmxGM1ZtMXplRmRIVmtWUgpiRlpwVW14d1VWZFdaRFJUTWsxNFZHNU9XQXBpUm5CWVdsZDRZ
V1ZXV25KVmEyUmFWakZLV0ZWdE5VOWhRWEJUWWxaS1ZWWkdVa05UCk1WWlhWMWhvV0dKR2NITlZi
WGh6VGxaYVNHUkhSbWhWV0VKVVdXMTBTMWRXV25SalJYUnBDazFWY0ZoWGExcHJWMnN3ZVdGR2FG
VlcKYkhBeldsZDRZVk5GTlZkYVJuQldWMFZLVlZkWE1UQlRNVlpIVjJ0a1dtVnJXbkJEYXpGV1kw
Wm9XR0V5YUV4V01HUkxWMVpXYzFacwpjR2tLVW01Q2IxZHNaRFJaVjFKSVZtdG9VRlp1UWxkV01G
WkxWbFprV0dSR1pHdE5WbHBJVjJ0YWIyRXhTWGRYYmtaRVlsVndXRll5CmRHOVhSMFY1WVVaU1Yx
SXphSEpWYlhNeFZqRldjd3BqUjJ0TFZXMTRkMkl4V2xkVmEyUlhUVlZzTkZadGVITlpWa3B5VjJ4
a1YySnUKUW5WVWJFVTVVRkU5UFE9PQ==

# 10 times of base64 decode

I am sorry, This is not Key~!!