Suninatas Game 31

Posted on Edited on In Views: Disqus:

challenges

Game 31

Challenge statement:

1
2
3
* Info : This PDF file don't attack your PC. Just using for study.
Analyze this PDF and Find a Flag.
Auth Key = lowercase(MD5(Flag))

Initial PDF triage

1
2
3
4
5
6
$ pdfid Hello_SuNiNaTaS.pdf
...
/JS                    1
/JavaScript            2
/EmbeddedFile          0
...

pdfid shows JavaScript indicators, but the interesting part is a nested object tree.

Main solve path (works)

Search for JavaScript references and inspect container objects:

1
2
3
4
5
6
$ pdf-parser -s JavaScript Hello_SuNiNaTaS.pdf
obj 30 0
  <<
    /JavaScript 31 0 R
    /EmbeddedFiles 38 0 R
  >>

Follow embedded-file references:

1
2
3
4
5
6
7
8
9
$ pdf-parser -o 38 Hello_SuNiNaTaS.pdf
obj 38 0
Referencing: 40 0 R

$ pdf-parser -o 39 -f -d nested.pdf Hello_SuNiNaTaS.pdf
obj 39 0
Contains stream
/Subtype /a
/Filter /FlateDecode

Now analyze extracted nested.pdf:

1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
$ pdfid nested.pdf
...
/Encrypt               1
/JS                    1
/JavaScript            1
/OpenAction            1
...

$ qpdf --decrypt nested.pdf decrypted.pdf

$ pdf-parser -s js decrypted.pdf
obj 2 0
  <<
    /JS 4 0 R
    /S /JavaScript
  >>

$ pdf-parser -o 4 -f -d dump decrypted.pdf
$ cat dump
"HERE IS FLAGS *********************"

Flag:

SunINatAsGOodWeLL!@#$

Decoy path (time sink)

You can also extract object 37 as JavaScript payload:

1
2
3
4
$ pdf-parser -o 37 -d payload.js Hello_SuNiNaTaS.pdf
$ node payload.js
Decoded content:
Vm0wd2QyVkZOVWRXV0doVVYwZG9W...

Repeated Base64 decoding eventually gives:

1
I am sorry, This is not Key~!!

So object 37 is a distraction; the real flag is in the decrypted nested PDF JavaScript stream.