ch1se
  • Home
  • CERTIFICATES AND PARTICIPATIONS
    • HackTheBox - Cyber Apocalypse CTF 2025: Tales from Eldoria
    • The SecOps Group
  • bitsctf-2025-writeups
    • HotPause
  • BRONCOCTF-2025-WRITEUPS
    • theflagishere!
  • ACECTF-2025-WRITEUPS
    • The Mysterious Building
    • Social Circles
    • Broken Secrets
    • Cryptic Pixels
    • Tabs&Spaces
  • PEARLCTF-2025-WRITEUPS
    • Hidden Marker
    • SentMail
    • Van Gogh's GARBAGE hunt
  • 1753CTF-2025-WRITEUPS
    • Dude where is my car
    • Happy New Year!
    • Somewhere in Space
  • CITCTF-2025-WRITEUPS
    • Timesink
    • Throwback to the Future
    • No Country for Old Keys
  • BYUCTF-2025
    • Universal-ty
  • OSINT-WRITEUPS
    • gralhix
Powered by GitBook
On this page
  • Introduction
  • Step by Step Solution
  • Step 1: Checking Metadata
  • Step 2: Inspecting the PDF in a Browser
  • Step 3: Extracting Hidden Text
  • Step 4: Analyzing the PDF Structure
  • Step 5: Extracting the Flag
  • FLAG
  1. PEARLCTF-2025-WRITEUPS

SentMail

FORENSICS

PreviousHidden MarkerNextVan Gogh's GARBAGE hunt

Last updated 2 months ago

Introduction

Vortex prefers simplicity, but iamgreedy. I want more—(text & background), they don’t tell the whole story. Have you checked the footer? And don't forget, there's something unique about the file name. It might just be the key.

Step by Step Solution

Step 1: Checking Metadata

Since this is a PDF file, I started with some basic forensic techniques. The first tool I used was exiftool to extract metadata.

exiftool sentmail.pdf

Unfortunately, nothing useful was found.

Step 2: Inspecting the PDF in a Browser

Next, I opened the PDF in my browser and carefully examined it. The challenge description suggested looking at the footer. Translating the Morse code in the footer revealed a YouTube link, but the link was expired.

To retrieve the original content, I used the Wayback Machine. The archived link led to a Rickroll. Classic.

Step 3: Extracting Hidden Text

Since the PDF allowed highlighting invisible text, I suspected hidden content. Copying and pasting the text revealed two hidden messages:

First Hidden Message

Science ReportLorem ipsum dolor sit amet, consectetuer adipiscing elit
SixEight SevenFour SevenFour SevenZero SevenThree Threea Twof Twof SevenNine
Sixf SevenFive SevenFour SevenFive Twoe SixTwo SixFive Twof SevenEight SevenSix
FourSix Fivea Sixa Sixf ThreeFive FiveZero SixSeven FourSeven ThreeZero

Second Hidden Message

*##*#****###*#***###*#***###*****###**##**###*#***#*####**#*####*####**#*
##*####*###*#*#*###*#***###*#*#**#*###**##***#**##**#*#**#*####*####****
###*##**#***##**#*##*#**##*#*#**##*####**##*#*#*#*#*****##**###*#***###**#
#****

Decoding the Messages

  • The first message was a hexadecimal string that, when translated, revealed the same Rickroll YouTube link.

  • The second message was binary encoded using * = 0 and # = 1. Once decoded, it also pointed to the Rickroll link.

At this point, it was clear that the PDF was full of distractions. Time to dig deeper.

Step 4: Analyzing the PDF Structure

To check for any hidden content or embedded files, I used pdf-parser.

pdf-parser sentmail.pdf

Scrolling through the results, I found an interesting reference:

It showed flag.txt embedded in object 3 0 R.

Step 5: Extracting the Flag

Since flag.txt was stored within object 3, I extracted it using:

pdf-parser sentmail.pdf -o 3 -f -d flag.txt

After extraction:

The extracted file contained the final flag!

FLAG

pearl{I_N3v3r_Kn3w_PDF5_Att4ch}