Our goal is to retrieve the hidden flag hidden somewhere inside the PDF. $ file 18pages.pdf 18pages.pdf: PDF document, version 1.7
> echo "The flag is hidden in the zero‑filled stream." Again, a hint directing us toward Object 28. The flag we extracted from Object 28 matches the typical format for the platform (HTB…). 18 Pages Hdhub4u
To be thorough, we also checked whether any other objects contained additional base‑64 or XOR‑encoded data, but none yielded a flag. Our goal is to retrieve the hidden flag
Category: Steganography / Forensics – PDF 1. Overview The challenge consists of a single file named 18pages.pdf (≈ 1 MB). The description on the challenge page simply says “18 Pages – Hdhub4u” and a point value of 300. To be thorough, we also checked whether any
$ zcat obj28.bin | tail -c 64 | hexdump -C 00000000 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 |................| 00000010 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 |................| 00000020 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 |................| 00000030 48 54 42 7b 31 30 34 32 5f 34 35 33 37 5f 62 34 |HTB 00000040 31 34 30 30 31 36 34 37 7d 0a 00 00 00 00 00 00 ......| We get the clear text – a flag format used by the Hack The Box community. 4.2 Object 37 – ASCII85 data $ pdf-parser -object 37 -raw 18pages.pdf > obj37.asc85 $ ascii85decode obj37.asc85 > obj37.bin $ strings -n 6 obj37.bin strings shows only a few generic words ( Page , Section , Lorem ), nothing useful. This was a decoy to mislead analysts. 4.3 Object 61 – “embedded PDF” $ pdf-parser -object 61 -raw 18pages.pdf > obj61.bin $ zcat obj61.bin > embedded.pdf $ pdfinfo embedded.pdf Pages: 1 The extracted PDF contains a single page that is a screenshot of a terminal with the line: