AngstromCTF2019: Paper Bin

The Challenge

Paper Bin Misc 40 pts

defund accidentally deleted all of his math papers! Help recover them from his computer’s raw data.

Author: defund

link: https://files.actf.co/ac4e8f7e16fb244613ffe42741046f98839e477e7a511d583dcc1bb291486029/paper_bin.dat

The Solution

This was a frustrating challenge simply because most tools designed to deal with PDFs happily read through the first PDF in the binary and report that is all there was. Interestingly, different PDF readers would pick different PDFs from the file to display — but all would only display one PDF.

After inspecting the output from the excellent pdf-parser.py by Didier Stevens and deciding to use a hex editor, the PDFs in the .dat became clearer.

Searching for the PDF file header “%PDF” in the .dat file revealed the files. One of them appears to have a different version.

Carving the PDFs out of the file and opening the suspicious one revealed the flag.