$ pdfinfo 18pages.pdf Title: 18 Pages Creator: LaTeX with hyperref Producer: pdfTeX-1.40.21 CreationDate: D:20260312123456-04'00' ModDate: D:20260312123500-04'00' Tagged: no Pages: 18 Encrypted: no Page size: 595.276 x 841.89 pts (A4) The file looks like an ordinary PDF with (as the title hints).
$ zcat obj28.bin | tail -c 64 | hexdump -C 00000000 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 |................| 00000010 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 |................| 00000020 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 |................| 00000030 48 54 42 7b 31 30 34 32 5f 34 35 33 37 5f 62 34 |HTB1042_4537_b4......| We get the clear text – a flag format used by the Hack The Box community. 4.2 Object 37 – ASCII85 data $ pdf-parser -object 37 -raw 18pages.pdf > obj37.asc85 $ ascii85decode obj37.asc85 > obj37.bin $ strings -n 6 obj37.bin strings shows only a few generic words ( Page , Section , Lorem ), nothing useful. This was a decoy to mislead analysts. 4.3 Object 61 – “embedded PDF” $ pdf-parser -object 61 -raw 18pages.pdf > obj61.bin $ zcat obj61.bin > embedded.pdf $ pdfinfo embedded.pdf Pages: 1 The extracted PDF contains a single page that is a screenshot of a terminal with the line:
| Obj # | Type | Size | Description | |------|--------|------|-------------| | 5 | stream | 832 | /Length 832 /Filter /FlateDecode – looks like a normal content stream | | 12 | stream | 56 | /Length 56 /Filter /FlateDecode – stream, empty page | | 28 | stream | 342 | /Length 342 /Filter /FlateDecode – contains a lot of zero bytes | | 37 | stream | 1024| /Length 1024 /Filter /ASCII85Decode – ASCII85‑encoded data | | 44 | metadata| 124| /Producer (pdfTeX‑1.40.21) – standard | | 61 | stream | 512 | /Length 512 /Filter /FlateDecode – starts with “%PDF‑1.4” inside |
A quick visual check shows a fairly clean document – a title page, a table of contents, and then a series of “chapter‑style” pages full of lorem‑ipsum text. Nothing suspicious at first glance. PDFs are made of a series of objects (streams, dictionaries, etc.). Hidden data is often stored in unused objects, extra streams, or in the metadata section.
That concludes the write‑up for the challenge on Hdhub4u. Happy hacking!