👨‍💻
CTFs
HomePlaygroundOSCPBuy Me a Flag 🚩
  • 🚩Zeyu's CTF Writeups
  • Home
  • Playground
  • OSCP
  • My Challenges
    • SEETF 2023
    • The InfoSecurity Challenge 2022
    • SEETF 2022
    • Cyber League Major 1
    • STANDCON CTF 2021
      • Space Station
      • Star Cereal
      • Star Cereal 2
      • Mission Control
      • Rocket Science
      • Space University of Interior Design
      • Rocket Ship Academy
      • Space Noise
  • 2023
    • DEF CON CTF 2023 Qualifiers
    • hxp CTF
      • true_web_assembly
    • HackTM CTF Qualifiers
      • Crocodilu
      • secrets
      • Hades
  • 2022
    • niteCTF 2022
      • Undocumented js-api
      • js-api
    • STACK the Flags 2022
      • Secret of Meow Olympurr
      • The Blacksmith
      • GutHib Actions
      • Electrogrid
      • BeautyCare
    • LakeCTF Qualifiers
      • People
      • Clob-Mate
      • So What? Revenge
    • The InfoSecurity Challenge 2022
      • Level 1 - Slay The Dragon
      • Level 2 - Leaky Matrices
      • Level 3 - PATIENT0
      • Level 4B - CloudyNekos
      • Level 5B - PALINDROME's Secret (Author Writeup)
    • BalsnCTF 2022
      • 2linenodejs
      • Health Check
    • BSidesTLV 2022 CTF
      • Smuggler
      • Wild DevTools
      • Tropical API
    • Grey Cat The Flag 2022
    • DEF CON CTF 2022 Qualifiers
    • Securinets CTF Finals 2022
      • StrUggLe
      • XwaSS ftw?
      • Strong
      • Artist
    • NahamCon CTF 2022
      • Flaskmetal Alchemist
      • Hacker TS
      • Two For One
      • Deafcon
      • OTP Vault
      • Click Me
      • Geezip
      • Ostrich
      • No Space Between Us
    • Securinets CTF Quals 2022
      • Document-Converter
      • PlanetSheet
      • NarutoKeeper
    • CTF.SG CTF
      • Asuna Waffles
      • Senpai
      • We know this all too well
      • Don't Touch My Flag
      • Wildest Dreams Part 2
      • Chopsticks
    • YaCTF 2022
      • Shiba
      • Flag Market
      • Pasteless
      • Secretive
      • MetaPDF
      • Crackme
    • DiceCTF 2022
      • knock-knock
      • blazingfast
    • TetCTF 2022
      • 2X-Service
      • Animals
      • Ezflag Level 1
  • 2021
    • hxp CTF 2021
    • HTX Investigator's Challenge 2021
    • Metasploit Community CTF
    • MetaCTF CyberGames
      • Look, if you had one shot
      • Custom Blog
      • Yummy Vegetables
      • Ransomware Patch
      • I Hate Python
      • Interception
    • CyberSecurityRumble CTF
      • Lukas App
      • Finance Calculat0r 2021
      • Personal Encryptor with Nonbreakable Inforation-theoretic Security
      • Enterprice File Sharing
      • Payback
      • Stonks Street Journal
    • The InfoSecurity Challenge (TISC) 2021
      • Level 4 - The Magician's Den
      • Level 3 - Needle in a Greystack
      • Level 2 - Dee Na Saw as a need
      • Level 1 - Scratching the Surface
    • SPbCTF's Student CTF Quals
      • 31 Line PHP
      • BLT
      • CatStep
    • Asian Cyber Security Challenge (ACSC) 2021
      • Cowsay As A Service
      • Favorite Emojis
      • Baby Developer
      • API
      • RSA Stream
      • Filtered
      • NYONG Coin
    • CSAW CTF Qualification Round 2021
      • Save the Tristate
      • securinotes
      • no pass needed
      • Gatekeeping
      • Ninja
    • YauzaCTF 2021
      • Yauzacraft Pt. 2
      • Yauzabomber
      • RISC 8bit CPU
      • ARC6969 Pt. 1
      • ARC6969 Pt. 2
      • Back in 1986 - User
      • Lorem-Ipsum
    • InCTF 2021
      • Notepad 1 - Snakehole's Secret
      • RaaS
      • MD Notes
      • Shell Boi
      • Listen
      • Ermittlung
      • Alpha Pie
    • UIUCTF 2021
      • pwnies_please
      • yana
      • ponydb
      • SUPER
      • Q-Rious Transmissions
      • capture the :flag:
      • back_to_basics
      • buy_buy_buy
    • Google CTF 2021
      • CPP
      • Filestore
    • TyphoonCon CTF 2021
      • Clubmouse
      • Impasse
    • DSTA BrainHack CDDC21
      • File It Away (Pwn)
      • Linux Rules the World! (Linux)
      • Going Active (Reconnaissance)
      • Behind the Mask (Windows)
      • Web Takedown Episode 2 (Web)
      • Break it Down (Crypto)
    • BCACTF 2.0
      • L10N Poll
      • Challenge Checker
      • Discrete Mathematics
      • Advanced Math Analysis
      • Math Analysis
      • American Literature
      • More Than Meets the Eye
      • 􃗁􌲔􇺟􊸉􁫞􄺷􄧻􃄏􊸉
    • Zh3ro CTF V2
      • Chaos
      • Twist and Shout
      • 1n_jection
      • alice_bob_dave
      • Baby SSRF
      • bxxs
      • Sparta
    • Pwn2Win CTF 2021
      • C'mon See My Vulns
      • Illusion
    • NorzhCTF 2021
      • Leet Computer
      • Secure Auth v0
      • Triskel 3: Dead End
      • Triskel 2: Going In
      • Triskel 1: First Contact
      • Discovery
    • DawgCTF 2021
      • Bofit
      • Jellyspotters
      • No Step On Snek
      • Back to the Lab 2
      • MDL Considered Harmful
      • Really Secure Algorithm
      • The Obligatory RSA Challenge
      • Trash Chain
      • What the Flip?!
      • Back to the Lab 1
      • Back to the Lab 3
      • Dr. Hrabowski's Great Adventure
      • Just a Comment
      • Baby's First Modulation
      • Two Truths and a Fib
    • UMDCTF 2021
      • Advantageous Adventures
      • Roy's Randomness
      • Whose Base Is It Anyway
      • Cards Galore
      • Pretty Dumb File
      • Minetest
      • Donnie Docker
      • Subway
      • Jump Not Easy
      • To Be XOR Not To Be
      • Office Secrets
      • L33t M4th
      • Bomb 2 - Mix Up
      • Jay
    • Midnight Sun CTF 2021
      • Corporate MFA
      • Gurkburk
      • Backups
    • picoCTF 2021
      • It Is My Birthday (100)
      • Super Serial (130)
      • Most Cookies (150)
      • Startup Company (180)
      • X marks the spot (250)
      • Web Gauntlet (170 + 300)
      • Easy Peasy (40)
      • Mini RSA (70)
      • Dachshund Attacks (80)
      • No Padding, No Problem (90)
      • Trivial Flag Transfer Protocol (90)
      • Wireshark twoo twooo two twoo... (100)
      • Disk, Disk, Sleuth! (110 + 130)
      • Stonks (20)
    • DSO-NUS CTF 2021
      • Insecure (100)
      • Easy SQL (200)
Powered by GitBook
On this page

Was this helpful?

  1. 2022
  2. YaCTF 2022

MetaPDF

PreviousSecretiveNextCrackme

Last updated 3 years ago

Was this helpful?

Putting the PDF into pdf-parser.py, I found that there was an abnormally long object.

It appeared to have lots of ASCII characters encoded in hex, so I extracted the hex characters.

from Crypto.Util.number import *

stuff = 0xFEFF000000010061006D006F00390066006C00740064004F00320070007100500058007400660058003100380036004B007900740071006100690077006B004A00430051006B004F00690067006800570031003000720049006900490070005700320070007100580053007800660058007900510036004B007900740071006100690077006B0058007900520066004F0069006700680057003100300072004900690049007000570032007000710058005300780066004A004600380036004B007900740071006100690077006B005800790051006B004F006900680037006600530073006900490069006C00620061006D00700064004C00430051006B0058007900510036004B0047007000710057003200700071005800530073006900490069006C00620061006D00700064004C00460038006B004A0044006F0072004B003200700071004C00430051006B004A004600380036004B004300450069004900690073006900490069006C00620061006D00700064004C0043005200660058007A006F0072004B003200700071004C004300520066004A0044006F0072004B003200700071004C00430051006B0058003100380036004B004800740039004B007900490069004B0056007400710061006C00300073004A004300520066004F0069007300720061006D006F0073004A00430051006B004F0069007300720061006D006F0073004A0046003900660058007A006F0072004B003200700071004C0043005200660058007900510036004B0079007400710061006E003000370061006D006F0075004A004600380039004B004700700071004C0069005200660050005700700071004B007900490069004B005600740071006100690034006B0058007900520064004B0079006800710061006900350066004A004400310071006100690034006B005800310074007100610069003500660058007900520064004B00530073006F0061006D006F0075004A004300510039004B004700700071004C00690051007200490069004900700057003200700071004C006C00390066004A004600300070004B00790067006F0049005700700071004B00530073006900490069006C00620061006D006F0075005800790051006B005800530073006F0061006D006F007500580031003800390061006D006F0075004A0046003900620061006D006F0075004A00430052006600580053006B0072004B004700700071004C006900510039004B004300450069004900690073006900490069006C00620061006D006F0075005800310038006B00580053006B0072004B004700700071004C006C00380039004B004300450069004900690073006900490069006C00620061006D006F0075005800790052006600580053006B00720061006D006F0075004A0046003900620061006D006F0075004A00460038006B0058005300740071006100690035006600580079007400710061006900350066004A004300740071006100690034006B004F003200700071004C00690051006B0050005700700071004C006900510072004B004300450069004900690073006900490069006C00620061006D006F0075005800790051006B0058005300740071006100690035006600580079007400710061006900350066004B003200700071004C0069005100720061006D006F0075004A0043005100370061006D006F0075004A00440030006F0061006D006F00750058003100390066004B005600740071006100690034006B00580031003100620061006D006F0075004A004600390064004F003200700071004C00690051006F0061006D006F0075004A004300680071006100690034006B004A0043007300690058004300490069004B0079004A006300580043004900720061006D006F0075005800310038006B004B003200700071004C00690051006B0058007900740071006100690034006B004A0046003800720061006D006F0075004A00460038006B00580079007300690058004600770069004B003200700071004C006C00390066004A004300740071006100690034006B004A0046003800720061006D006F00750058007900520066004B0079004A006300580043004900720061006D006F0075004A004600390066004B003200700071004C006C0039006600580079007300690058004600770069004B003200700071004C006C00390066004A004300740071006100690034006B004A0046003800720061006D006F00750058003100390066004B003200700071004C006900520066004A0046003800720049006C007800630049006900740071006100690035006600580079005100720061006D006F0075004A00430051006B004B003200700071004C006C00390066004A00430073006F0049005600740064004B007900490069004B0056007400710061006900350066004A004600390064004B003200700071004C006C0038006B004B003200700071004C006900520066004A0046003800720061006D006F0075004A004300520066004A0043007300690058004600770069004B003200700071004C0069005200660058007900740071006100690035006600580031003800720049006A0031006300580043004900720061006D006F0075004A004600390066004B003200700071004C006C00390066005800790073006900580046007800630049006C007800630049006900740071006100690035006600580079005100720061006D006F0075004A00430051006B004B003200700071004C006C00390066004A004300740071006100690034006B0058007900520066004B003200700071004C00690051006B00580031003800720061006D006F007500580031003800720061006D006F0075004A00430051006B004A00430073006900650079004900720061006D006F0075004A004600390066004B003200700071004C00690051006B004A0043005100720061006D006F0075004A00460039006600580079007400710061006900350066004A0046003800720061006D006F0075004A00460038006B004A004300740071006100690034006B00580031003800720061006D006F0075004A004300520066004A004300740071006100690034006B0058007900520066004B003200700071004C00690051006B00580031003800720061006D006F0075005800790051006B004B003200700071004C006900520066004A004300740071006100690034006B004A0043005100720061006D006F0075004A00460038006B004A004300740071006100690034006B0058007900520066004B003200700071004C006C0038006B0058007900740071006100690034006B004A0046003800720061006D006F0075004A0046003900660058007900740071006100690034006B004A004300520066004B003200700071004C006C0038006B0058007900740071006100690034006B005800790051006B004B003200700071004C00690051006B004A0046003800720061006D006F0075004A004600390066004B003200700071004C006900520066004A0043005100720061006D006F0075004A00460038006B004B003200700071004C006C00390066004A004300740071006100690034006B004A0046003800720061006D006F0075004A0043005200660058007900740071006100690034006B0058003100390066004B003200700071004C006900520066004A0046003800720061006D006F0075004A0043005200660058007900740071006100690035006600580031003800720061006D006F00750058007900520066004B0079004A003900580046007800630049006A0074006300580043004900720061006D006F0075005800310038006B004B003200700071004C006C0038006B00580079007300690058004600770069004B003200700071004C006C00390066004A004300740071006100690034006B004A0046003800720061006D006F0075004A004300520066004B003200700071004C006900520066004A0046003800720049006C007800630049006900740071006100690035006600580079005100720061006D006F0075004A004300520066004B003200700071004C006C0038006B00580079007300690058004600770069004B003200700071004C0069005200660058007900740071006100690035006600580031003800720049006C007800630049006900740071006100690035006600580079005100720061006D006F0075004A00460038006B004B003200700071004C006C003900660058007900740071006100690034006B004A004300520066004B007900670068005700310030007200490069004900700057003200700071004C006C0038006B0058003100300072004B004300460062005800530073006900490069006C00620061006D006F0075005800790052006600580053007400710061006900350066004A0043007300690058004600770069004B003200700071004C0069005200660058007900740071006100690035006600580031003800720049006A0031006300580043004900720061006D006F0075004A004600390066004B003200700071004C006C0039006600580079007300690058004600770069004B003200700071004C006C00390066004A004300740071006100690034006B004A0046003800720061006D006F00750058003100390066004B003200700071004C006900520066004A0046003800720049006C007800630049006900740071006100690035006600580079005100720061006D006F0075004A00430051006B004B003200700071004C006C00390066004A00430073006F0049005600740064004B007900490069004B0056007400710061006900350066004A004600390064004B003200700071004C006C0038006B004B003200700071004C006900520066004A0046003800720061006D006F0075004A004300520066004A004300730069004C006C007800630049006900740071006100690035006600580079005100720061006D006F0075004A004300520066004B003200700071004C006C0038006B004A0043007400710061006900350066004B003200700071004C006900520066004A0043005100720049006C007800630049006900740071006100690035006600580079005100720061006D006F0075004A004300520066004B003200700071004C006C0038006B004A004300740071006100690035006600580079007300690058004600770069004B003200700071004C006C00390066004A004300740071006100690034006B004A0046003800720061006D006F00750058007900520066004B00790049006F0049006900740071006100690035006600580031003800720049006900770069004B003200700071004C0069005200660058007900730069004B00540074006300580043004900720061006D006F0075004A004600390066004B003200700071004C006C0039006600580079007300690058004600770069004B003200700071004C006C00390066004A0043007400710061006900350066004A0046003800720061006D006F0075004A00460038006B005800790073006F0049005600740064004B007900490069004B0056007400710061006900350066004A004600390064004B003200700071004C00690051006B004A0046003800720049006C007800630049006900740071006100690035006600580079005100720061006D006F0075004A004300520066004B003200700071004C006C0038006B005800790074007100610069003500660058007900730069004B0046007800630049006900740071006100690035006600580079005100720061006D006F0075004A00460038006B004B003200700071004C006C003900660058007900740071006100690034006B004A004300520066004B007900670068005700310030007200490069004900700057003200700071004C006C0038006B0058003100300072004B004300460062005800530073006900490069006C00620061006D006F0075005800790052006600580053007400710061006900350066004A004300730069004B005400730069004B0079004A00630049006900490070004B0043006B0070004B0043006B0037

for char in long_to_bytes(stuff):
    if char:
        print(chr(char), end='')

This gave me a base64 string:

amo9fltdO2pqPXtfX186KytqaiwkJCQkOighW10rIiIpW2pqXSxfXyQ6KytqaiwkXyRfOighW10rIiIpW2pqXSxfJF86KytqaiwkXyQkOih7fSsiIilbampdLCQkXyQ6KGpqW2pqXSsiIilbampdLF8kJDorK2pqLCQkJF86KCEiIisiIilbampdLCRfXzorK2pqLCRfJDorK2pqLCQkX186KHt9KyIiKVtqal0sJCRfOisramosJCQkOisramosJF9fXzorK2pqLCRfXyQ6Kytqan07amouJF89KGpqLiRfPWpqKyIiKVtqai4kXyRdKyhqai5fJD1qai4kX1tqai5fXyRdKSsoamouJCQ9KGpqLiQrIiIpW2pqLl9fJF0pKygoIWpqKSsiIilbamouXyQkXSsoamouX189amouJF9bamouJCRfXSkrKGpqLiQ9KCEiIisiIilbamouX18kXSkrKGpqLl89KCEiIisiIilbamouXyRfXSkramouJF9bamouJF8kXStqai5fXytqai5fJCtqai4kO2pqLiQkPWpqLiQrKCEiIisiIilbamouXyQkXStqai5fXytqai5fK2pqLiQramouJCQ7amouJD0oamouX19fKVtqai4kX11bamouJF9dO2pqLiQoamouJChqai4kJCsiXCIiKyJcXCIramouX18kK2pqLiQkXytqai4kJF8ramouJF8kXysiXFwiK2pqLl9fJCtqai4kJF8ramouXyRfKyJcXCIramouJF9fK2pqLl9fXysiXFwiK2pqLl9fJCtqai4kJF8ramouX19fK2pqLiRfJF8rIlxcIitqai5fXyQramouJCQkK2pqLl9fJCsoIVtdKyIiKVtqai5fJF9dK2pqLl8kK2pqLiRfJF8ramouJCRfJCsiXFwiK2pqLiRfXytqai5fX18rIj1cXCIramouJF9fK2pqLl9fXysiXFxcIlxcIitqai5fXyQramouJCQkK2pqLl9fJCtqai4kXyRfK2pqLiQkX18ramouX18ramouJCQkJCsieyIramouJF9fK2pqLiQkJCQramouJF9fXytqai5fJF8ramouJF8kJCtqai4kX18ramouJCRfJCtqai4kXyRfK2pqLiQkX18ramouXyQkK2pqLiRfJCtqai4kJCQramouJF8kJCtqai4kXyRfK2pqLl8kXytqai4kJF8ramouJF9fXytqai4kJCRfK2pqLl8kXytqai4kXyQkK2pqLiQkJF8ramouJF9fK2pqLiRfJCQramouJF8kK2pqLl9fJCtqai4kJF8ramouJCRfXytqai4kX19fK2pqLiRfJF8ramouJCRfXytqai5fX18ramouXyRfKyJ9XFxcIjtcXCIramouX18kK2pqLl8kXysiXFwiK2pqLl9fJCtqai4kJF8ramouJCRfK2pqLiRfJF8rIlxcIitqai5fXyQramouJCRfK2pqLl8kXysiXFwiK2pqLiRfXytqai5fX18rIlxcIitqai5fXyQramouJF8kK2pqLl9fXytqai4kJCRfKyghW10rIiIpW2pqLl8kX10rKCFbXSsiIilbamouXyRfXStqai5fJCsiXFwiK2pqLiRfXytqai5fX18rIj1cXCIramouJF9fK2pqLl9fXysiXFwiK2pqLl9fJCtqai4kJF8ramouX19fK2pqLiRfJF8rIlxcIitqai5fXyQramouJCQkK2pqLl9fJCsoIVtdKyIiKVtqai5fJF9dK2pqLl8kK2pqLiRfJF8ramouJCRfJCsiLlxcIitqai5fXyQramouJCRfK2pqLl8kJCtqai5fK2pqLiRfJCQrIlxcIitqai5fXyQramouJCRfK2pqLl8kJCtqai5fXysiXFwiK2pqLl9fJCtqai4kJF8ramouXyRfKyIoIitqai5fX18rIiwiK2pqLiRfXysiKTtcXCIramouJF9fK2pqLl9fXysiXFwiK2pqLl9fJCtqai5fJF8ramouJF8kXysoIVtdKyIiKVtqai5fJF9dK2pqLiQkJF8rIlxcIitqai5fXyQramouJCRfK2pqLl8kXytqai5fXysiKFxcIitqai5fXyQramouJF8kK2pqLl9fXytqai4kJCRfKyghW10rIiIpW2pqLl8kX10rKCFbXSsiIilbamouXyRfXStqai5fJCsiKTsiKyJcIiIpKCkpKCk7

Which decoded to obfuscated JavaScript:

jj=~[];jj={___:++jj,$$$$:(![]+"")[jj],__$:++jj,$_$_:(![]+"")[jj],_$_:++jj,$_$$:({}+"")[jj],$$_$:(jj[jj]+"")[jj],_$$:++jj,$$$_:(!""+"")[jj],$__:++jj,$_$:++jj,$$__:({}+"")[jj],$$_:++jj,$$$:++jj,$___:++jj,$__$:++jj};jj.$_=(jj.$_=jj+"")[jj.$_$]+(jj._$=jj.$_[jj.__$])+(jj.$$=(jj.$+"")[jj.__$])+((!jj)+"")[jj._$$]+(jj.__=jj.$_[jj.$$_])+(jj.$=(!""+"")[jj.__$])+(jj._=(!""+"")[jj._$_])+jj.$_[jj.$_$]+jj.__+jj._$+jj.$;jj.$$=jj.$+(!""+"")[jj._$$]+jj.__+jj._+jj.$+jj.$$;jj.$=(jj.___)[jj.$_][jj.$_];jj.$(jj.$(jj.$$+"\""+"\\"+jj.__$+jj.$$_+jj.$$_+jj.$_$_+"\\"+jj.__$+jj.$$_+jj._$_+"\\"+jj.$__+jj.___+"\\"+jj.__$+jj.$$_+jj.___+jj.$_$_+"\\"+jj.__$+jj.$$$+jj.__$+(![]+"")[jj._$_]+jj._$+jj.$_$_+jj.$$_$+"\\"+jj.$__+jj.___+"=\\"+jj.$__+jj.___+"\\\"\\"+jj.__$+jj.$$$+jj.__$+jj.$_$_+jj.$$__+jj.__+jj.$$$$+"{"+jj.$__+jj.$$$$+jj.$___+jj._$_+jj.$_$$+jj.$__+jj.$$_$+jj.$_$_+jj.$$__+jj._$$+jj.$_$+jj.$$$+jj.$_$$+jj.$_$_+jj._$_+jj.$$_+jj.$___+jj.$$$_+jj._$_+jj.$_$$+jj.$$$_+jj.$__+jj.$_$$+jj.$_$+jj.__$+jj.$$_+jj.$$__+jj.$___+jj.$_$_+jj.$$__+jj.___+jj._$_+"}\\\";\\"+jj.__$+jj._$_+"\\"+jj.__$+jj.$$_+jj.$$_+jj.$_$_+"\\"+jj.__$+jj.$$_+jj._$_+"\\"+jj.$__+jj.___+"\\"+jj.__$+jj.$_$+jj.___+jj.$$$_+(![]+"")[jj._$_]+(![]+"")[jj._$_]+jj._$+"\\"+jj.$__+jj.___+"=\\"+jj.$__+jj.___+"\\"+jj.__$+jj.$$_+jj.___+jj.$_$_+"\\"+jj.__$+jj.$$$+jj.__$+(![]+"")[jj._$_]+jj._$+jj.$_$_+jj.$$_$+".\\"+jj.__$+jj.$$_+jj._$$+jj._+jj.$_$$+"\\"+jj.__$+jj.$$_+jj._$$+jj.__+"\\"+jj.__$+jj.$$_+jj._$_+"("+jj.___+","+jj.$__+");\\"+jj.$__+jj.___+"\\"+jj.__$+jj._$_+jj.$_$_+(![]+"")[jj._$_]+jj.$$$_+"\\"+jj.__$+jj.$$_+jj._$_+jj.__+"(\\"+jj.__$+jj.$_$+jj.___+jj.$$$_+(![]+"")[jj._$_]+(![]+"")[jj._$_]+jj._$+");"+"\"")())();

When pasted into the console, this alerts yact. If we remove the final (), the function is shown.

The flag is yactf{4f82b4dac357ba268e2be4b516c8ac02}