$ zcat obj28.bin | tail -c 64 | hexdump -C 00000000 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 |................| 00000010 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 |................| 00000020 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 |................| 00000030 48 54 42 7b 31 30 34 32 5f 34 35 33 37 5f 62 34 |HTB1042_4537_b4......| We get the clear text – a flag format used by the Hack The Box community. 4.2 Object 37 – ASCII85 data $ pdf-parser -object 37 -raw 18pages.pdf > obj37.asc85 $ ascii85decode obj37.asc85 > obj37.bin $ strings -n 6 obj37.bin strings shows only a few generic words ( Page , Section , Lorem ), nothing useful. This was a decoy to mislead analysts. 4.3 Object 61 – “embedded PDF” $ pdf-parser -object 61 -raw 18pages.pdf > obj61.bin $ zcat obj61.bin > embedded.pdf $ pdfinfo embedded.pdf Pages: 1 The extracted PDF contains a single page that is a screenshot of a terminal with the line:
To be thorough, we also checked whether any other objects contained additional base‑64 or XOR‑encoded data, but none yielded a flag.
$ pdf-parser -dump 18pages.pdf > pdf_objects.txt The dump revealed the following interesting points: 18 Pages Hdhub4u
A quick visual check shows a fairly clean document – a title page, a table of contents, and then a series of “chapter‑style” pages full of lorem‑ipsum text. Nothing suspicious at first glance. PDFs are made of a series of objects (streams, dictionaries, etc.). Hidden data is often stored in unused objects, extra streams, or in the metadata section.
$ pdfinfo 18pages.pdf Title: 18 Pages Creator: LaTeX with hyperref Producer: pdfTeX-1.40.21 CreationDate: D:20260312123456-04'00' ModDate: D:20260312123500-04'00' Tagged: no Pages: 18 Encrypted: no Page size: 595.276 x 841.89 pts (A4) The file looks like an ordinary PDF with (as the title hints). $ zcat obj28
Objects , 37 , and 61 are the most promising candidates for hidden data. 4. Analyzing the suspicious streams 4.1 Object 28 – “mostly zeros” $ pdf-parser -object 28 -raw 18pages.pdf > obj28.bin $ hexdump -C obj28.bin | head 00000000 78 9c 0b 00 00 00 02 00 00 00 00 00 00 00 00 00 |x...............| ... The stream is a Flate‑compressed block that, once decompressed, yields a 2048‑byte buffer full of 0x00 except for a few non‑zero bytes at the very end:
| Obj # | Type | Size | Description | |------|--------|------|-------------| | 5 | stream | 832 | /Length 832 /Filter /FlateDecode – looks like a normal content stream | | 12 | stream | 56 | /Length 56 /Filter /FlateDecode – stream, empty page | | 28 | stream | 342 | /Length 342 /Filter /FlateDecode – contains a lot of zero bytes | | 37 | stream | 1024| /Length 1024 /Filter /ASCII85Decode – ASCII85‑encoded data | | 44 | metadata| 124| /Producer (pdfTeX‑1.40.21) – standard | | 61 | stream | 512 | /Length 512 /Filter /FlateDecode – starts with “%PDF‑1.4” inside | PDFs are made of a series of objects
That concludes the write‑up for the challenge on Hdhub4u. Happy hacking!