PDF - Embedded

題目資訊

Root Me 的 medium 題 PDF - Embedded，本題敘述如下。

Find the hidden information in this PDF file.

首先題目給了一個 pdf 檔案，且標籤寫 Hide-and-seek，檔案內容本身看起來沒什麼問題，所以先根據平常的步驟解題。

解題思路

1. file

epreuve_BAC_2004.pdf: PDF document, version 1.3, 12 page(s)

確認題目檔案是 pdf 檔

2. exiftool

$ exiftool epreuve_BAC_2004.pdf
ExifTool Version Number         : 13.10
File Name                       : epreuve_BAC_2004.pdf
Directory                       : .
File Size                       : 2.4 MB
File Modification Date/Time     : 2017:06:01 23:22:44+08:00
File Access Date/Time           : 2025:10:06 22:44:53+08:00
File Inode Change Date/Time     : 2025:10:06 22:44:53+08:00
File Permissions                : -rw-rw-r--
File Type                       : PDF
File Type Extension             : pdf
MIME Type                       : application/pdf
PDF Version                     : 1.3
Linearized                      : No
Page Count                      : 12
Modify Date                     : 2017:06:11 11:56:32+02:00
Create Date                     : 2017:06:11 11:56:32+02:00
Producer                        : GPL Ghostscript 9.06
Title                           : bac2004.pdf
Creator                         : PScript5.dll Version 5.2.2
Author                          : thomas

確認沒有甚麼額外資訊

3. binwalk

$ binwalk epreuve_BAC_2004.pdf

DECIMAL       HEXADECIMAL     DESCRIPTION
--------------------------------------------------------------------------------
0             0x0             PDF document, version: "1.3"
73            0x49            Zlib compressed data, default compression
261           0x105           Zlib compressed data, default compression
451           0x1C3           Zlib compressed data, default compression
641           0x281           Zlib compressed data, default compression
831           0x33F           Zlib compressed data, default compression
1021          0x3FD           Zlib compressed data, default compression
1211          0x4BB           Zlib compressed data, default compression
1401          0x579           Zlib compressed data, default compression
1591          0x637           Zlib compressed data, default compression
1781          0x6F5           Zlib compressed data, default compression
1971          0x7B3           Zlib compressed data, default compression
2161          0x871           Zlib compressed data, default compression
5021          0x139D          Zlib compressed data, default compression
260496        0x3F990         Zlib compressed data, default compression
540256        0x83E60         Zlib compressed data, default compression
683550        0xA6E1E         Zlib compressed data, default compression
899938        0xDBB62         Zlib compressed data, default compression
1095225       0x10B639        Zlib compressed data, default compression
1205948       0x1266BC        Zlib compressed data, default compression
1334697       0x145DA9        Zlib compressed data, default compression
1528474       0x17529A        Zlib compressed data, default compression
1651840       0x193480        Zlib compressed data, default compression
1923915       0x1D5B4B        Zlib compressed data, default compression
2167502       0x2112CE        Zlib compressed data, default compression
2306578       0x233212        Zlib compressed data, default compression

看到有許多壓縮資料，於是提取來看看

解法

首先提取壓縮資料

$ binwalk -e epreuve_BAC_2004.pdf

然後看到一整陀檔案

$ ls
105          17529A       233212       49        7B3
105.zlib     17529A.zlib  233212.zlib  49.zlib   7B3.zlib
10B639       193480       281          4BB       83E60
10B639.zlib  193480.zlib  281.zlib     4BB.zlib  83E60.zlib
1266BC       1C3          33F          579       871
1266BC.zlib  1C3.zlib     33F.zlib     579.zlib  871.zlib
139D         1D5B4B       3F990        637       A6E1E
139D.zlib    1D5B4B.zlib  3F990.zlib   637.zlib  A6E1E.zlib
145DA9       2112CE       3FD          6F5       DBB62
145DA9.zlib  2112CE.zlib  3FD.zlib     6F5.zlib  DBB62.zlib

其中只有一些是 ASCII text

$ file *        
1C3:         ASCII text
1C3.zlib:    zlib compressed data
1D5B4B:      data
1D5B4B.zlib: zlib compressed data
3F990:       data
3F990.zlib:  zlib compressed data
3FD:         ASCII text
3FD.zlib:    zlib compressed data
4BB:         ASCII text
4BB.zlib:    zlib compressed data
6F5:         ASCII text
6F5.zlib:    zlib compressed data
7B3:         ASCII text
7B3.zlib:    zlib compressed data
10B639:      data
10B639.zlib: zlib compressed data
33F:         ASCII text
33F.zlib:    zlib compressed data
49:          ASCII text
49.zlib:     zlib compressed data
83E60:       data
83E60.zlib:  zlib compressed data
105:         ASCII text
105.zlib:    zlib compressed data
139D:        data
139D.zlib:   zlib compressed data
145DA9:      data
145DA9.zlib: zlib compressed data
281:         ASCII text
281.zlib:    zlib compressed data
579:         ASCII text
579.zlib:    zlib compressed data
637:         ASCII text
637.zlib:    zlib compressed data
871:         ASCII text
871.zlib:    zlib compressed data
1266BC:      data
1266BC.zlib: zlib compressed data
2112CE:      data
2112CE.zlib: zlib compressed data
17529A:      data
17529A.zlib: zlib compressed data
193480:      data
193480.zlib: zlib compressed data
233212:      ASCII text
233212.zlib: zlib compressed data
A6E1E:       data
A6E1E.zlib:  zlib compressed data
DBB62:       data
DBB62.zlib:  zlib compressed data

於是把有文字的開來看看，發現有一個檔案 233212 看起來很可疑

/9j/4AAQSkZJRgABAQEAYABgAAD//gA8Q1JFQVRPUjogZ2QtanBlZyB2MS4wICh1c2luZyBJSkcg
SlBFRyB2NjIpLCBxdWFsaXR5ID0gOTUKAP/bAEMAAgEBAgEBAgICAgICAgIDBQMDAwMDBgQEAwUH
BgcHBwYHBwgJCwkICAoIBwcKDQoKCwwMDAwHCQ4PDQwOCwwMDP/bAEMBAgICAwMDBgMDBgwIBwgM
...

看到一堆編碼第一時間懷疑是 base64 所以試試看

$ base64 -d 233212 > ans.txt

並且看看內容

$ cat ans.txt                
����JFIF``��<CREATOR: gd-jpeg v1.0 (using IJG JPEG v62), quality = 95
��C
...

發現隱藏的資訊是一個 jpg 檔案，但我們現在的檔名是 txt，所以改一下檔名成 ans.jpg

就會成功看到答案

小結

因為不知道這題是怎麼隱寫 pdf 的，所以上網查詢，發現這題還有其他解法，而且有針對檔案的詳細介紹

https://0secusik0.tistory.com/57

本日飲血

這裡終於有百合了