SentMail

FORENSICS

Introduction

Vortex prefers simplicity, but iamgreedy. I want more—(text & background), they don’t tell the whole story. Have you checked the footer? And don't forget, there's something unique about the file name. It might just be the key.

Step by Step Solution

Step 1: Checking Metadata

Since this is a PDF file, I started with some basic forensic techniques. The first tool I used was exiftool to extract metadata.

exiftool sentmail.pdf

Unfortunately, nothing useful was found.

Step 2: Inspecting the PDF in a Browser

Next, I opened the PDF in my browser and carefully examined it. The challenge description suggested looking at the footer. Translating the Morse code in the footer revealed a YouTube link, but the link was expired.

To retrieve the original content, I used the Wayback Machine. The archived link led to a Rickroll. Classic.

Step 3: Extracting Hidden Text

Since the PDF allowed highlighting invisible text, I suspected hidden content. Copying and pasting the text revealed two hidden messages:

First Hidden Message

Science ReportLorem ipsum dolor sit amet, consectetuer adipiscing elit
SixEight SevenFour SevenFour SevenZero SevenThree Threea Twof Twof SevenNine
Sixf SevenFive SevenFour SevenFive Twoe SixTwo SixFive Twof SevenEight SevenSix
FourSix Fivea Sixa Sixf ThreeFive FiveZero SixSeven FourSeven ThreeZero

Second Hidden Message

*##*#****###*#***###*#***###*****###**##**###*#***#*####**#*####*####**#*
##*####*###*#*#*###*#***###*#*#**#*###**##***#**##**#*#**#*####*####****
###*##**#***##**#*##*#**##*#*#**##*####**##*#*#*#*#*****##**###*#***###**#
#****

Decoding the Messages

The first message was a hexadecimal string that, when translated, revealed the same Rickroll YouTube link.

The second message was binary encoded using * = 0 and # = 1. Once decoded, it also pointed to the Rickroll link.

At this point, it was clear that the PDF was full of distractions. Time to dig deeper.

Step 4: Analyzing the PDF Structure

To check for any hidden content or embedded files, I used pdf-parser.

pdf-parser sentmail.pdf

Scrolling through the results, I found an interesting reference:

It showed flag.txt embedded in object 3 0 R.

Step 5: Extracting the Flag

Since flag.txt was stored within object 3, I extracted it using:

pdf-parser sentmail.pdf -o 3 -f -d flag.txt

After extraction:

The extracted file contained the final flag!

FLAG

pearl{I_N3v3r_Kn3w_PDF5_Att4ch}

PreviousHidden Marker NextVan Gogh's GARBAGE hunt

Last updated 11 months ago

hashtagIntroduction

hashtagStep by Step Solution

hashtagStep 1: Checking Metadata

hashtagStep 2: Inspecting the PDF in a Browser

hashtagStep 3: Extracting Hidden Text

hashtagFirst Hidden Message

hashtagSecond Hidden Message

hashtagDecoding the Messages

hashtagStep 4: Analyzing the PDF Structure

hashtagStep 5: Extracting the Flag

hashtagFLAG