Skip to content
Jenn Janesko edited this page Apr 2, 2019 · 13 revisions

The Wanted problem had the following description:

We recently discovered a suspicious forum post that could be attributed to Captain Crypto. It seems like he wanted to tell some secrets to his hacker companions by hiding it inside a file. You need to help our investigation by extracting the secrets from the document.

Fellow Hackerz,

Look what I found recently on some filthy image board. I am not very amused. To everyone who supports my case - I packed an important message deep into this shady document. If you are clever enough you will find it!

Captain Crypto

There was a file to download; WANTED.pdf. Opening it revealed a very orange picture.

I tried opening it in a PDF viewer, Gimp and Open Office, but these tools didn't give me any further clues. I didn't have Adobe Acrobat, so I could not convert the file back for editing. I thought about looking for an open source PDF editor. But, I decided to first inspect the file using the file command.

~/Downloads/ccwanted$ file WANTED.pdf

WANTED.pdf: data

I thought that the output of the file command looked strange. So, I compared it against another pdf that I had on my computer.

~/Downloads/ccwanted$ file document.pdf

document.pdf: PDF document, version 1.4

This was definitely different. So, I decided to use binwalk to analyze further. This revealed the following.

~/Downloads/ccwanted$ binwalk WANTED.pdf

DECIMAL HEXADECIMAL DESCRIPTION

-------------------------------------------------------------------------------

27 0x1B Zip archive data, at least v2.0 to extract, compressed size: 146649, uncompressed size: 146649, name: WANTED.pdf

146716 0x23D1C Zip archive data, at least v2.0 to extract, compressed size: 7020, uncompressed size: 13864, name: YOU_NEED_TO_DIG_DEEPER

153912 0x25938 End of Zip archive

Looking at it, it seemed that I was not only dealing with a pdf, but I was also dealing with a zip archive. I tested this by using the unzip command.

~/Downloads/ccwanted$ unzip WANTED.pdf

Archive: WANTED.pdf

error [WANTED.pdf]: missing 67 bytes in zipfile

(attempting to process anyway)

replace WANTED.pdf? [y]es, [n]o, [A]ll, [N]one, [r]ename: r

new name: WANTED2.pdf

extracting: WANTED2.pdf

inflating: YOU_NEED_TO_DIG_DEEPER

This left me with two interesting files: WANTED2.pdf and YOU_NEED_TO_DIG_DEEPER. I opened the second file, and it revealed the following image.

I went to https://passwordsgenerator.net/sha1-hash-generator/ and used the SHA-1 generator to calculate the hash for the flag. In the end, the flag was the following:

mucctf{EFBAA796F2D480AC6403EEF733B3A4EE72D24B79}

You can’t perform that action at this time.