Pour ce challenge, on télécharge un fihcier challenge.pdf, qui contient du texte.

Exiftool

Lorsque l’on utilise exiftool sur ce fichier, on peut y voir :

└─[$] <> exiftool challenge.pdf 
ExifTool Version Number         : 13.04
File Name                       : challenge.pdf
[...]
Keywords                        : ZGVmIF9fX19fXyhjY2NjY2NjY2NjKToKICAgIHJldHVybiBieXRlcy5mcm9taGV4KGNjY2NjY2NjY2MpCmRlZiBfX19fXyhiYmJiYmJiYmIsIGJiYmJiYmJiYmIpOgogICAgYmJiYmJiYmJiYmIgPSBieXRlYXJyYXkoYmJiYmJiYmJiLCAndXRmLTgnKQogICAgZm9yIGJiYmJiYmJiIGluIHJhbmdlKGxlbihiYmJiYmJiYmJiYikpOgogICAgICAgIGJiYmJiYmJiYmJiW2JiYmJiYmJiXSBePSBiYmJiYmJiYmJiW2JiYmJiYmJiICUgbGVuKGJiYmJiYmJiYmIpXQogICAgcmV0dXJuIGJ5dGVzKGJiYmJiYmJiYmJiKQpkZWYgX19fX19fXyhhYWFhYWEpOgogICAgYWFhYWEgPSBiIiIKICAgIGZvciBpIGluIHJhbmdlKGxlbihhYWFhYWEpKToKICAgICAgICBhYWFhYSArPSBpbnQudG9fYnl0ZXMoYWFhYWFhW2ldICsgaSkKICAgIHJldHVybiBhYWFhYQpkZWYgX19fX19fX18oaGhoaGhoaGhoaGgsIGhoaGhoaGhoKToKICAgIGdnZ2dnZ2dnZ2cgPSBieXRlYXJyYXkoaGhoaGhoaGhoaGgpCiAgICBmb3IgaSBpbiByYW5nZShsZW4oZ2dnZ2dnZ2dnZykpOgogICAgICAgIGdnZ2dnZ2dnZ2dbaV0gXj0gaGhoaGhoaGhbaSAlIGxlbihoaGhoaGhoaCldCiAgICByZXR1cm4gYnl0ZXMoZ2dnZ2dnZ2dnZykKdHJ5OgojICAgIGlpaWlpaWlpID0gYnl0ZXMuZnJvbWhleChpbnB1dChieXRlcy5mcm9taGV4KCI0NzY5NzY2NTIwNmQ2NTIwNzQ2ODY1MjA3MDYxNzM3Mzc3NmY3MjY0M2EyMCIpLmRlY29kZSgpKSkKICAgIGlmIG5vdCBpaWlpaWlpaToKIyAgICAgICAgcHJpbnQoYnl0ZXMuZnJvbWhleCgiNDg2ZDZkMmMyMDc5NmY3NTIwNjM2MTZlNmU2Zjc0MjA2NzY5NzY2NTIwNmQ2NTIwNjE2ZTIwNjU2ZDcwNzQ3OTIwNzA2MTczNzM3NzZmNzI2NDJlMmUyZSIpLmRlY29kZSgpKQogICAgICAgIGV4aXQoMSkKICAgIGRkZGRkZGQgPSAiNDE0YzUxNDY3NzRiNWU1ZjU3MmE2MzU3NTk1NzM2MjQ1NDRlNTgyMTYyNGMwZTRjNWExODU2MWM2MSIKICAgIGtrayA9IF9fX19fXyhkZGRkZGRkKQogICAgZWVlZWVlZWVlZWVlZWVlZWVlZWVlZWVlID0gX19fX19fXyhpaWlpaWlpaSkKICAgIGZmZmZmZmZmZmZmZmZmZmZmZmYgPSBfX19fX19fXyhlZWVlZWVlZWVlZWVlZWVlZWVlZWVlZWUsIGtraykKICAgIGpqampqampqampqamogPSBmZmZmZmZmZmZmZmZmZmZmZmZmLmRlY29kZSgndXRmLTgnKQojICAgIHByaW50KGJ5dGVzLmZyb21oZXgoIjU3NjU2YzZjMjA2NDZmNmU2NTIxMmMyMDc5NmY3NTIwNjM2MTZlMjA3NjYxNmM2OTY0NjE3NDY1MjA3NzY5NzQ2ODIwNzQ2ODY5NzMyMDY2NmM2MTY3M2EiKS5kZWNvZGUoKSwgampqampqampqampqaikKZXhjZXB0IEV4Y2VwdGlvbiBhcyBfOgogICAgZXhpdCgxKQo=

Décodage base64

On a donc une belle base64

└─[$] <> echo "ZGVmIF9fX19fXyhjY2NjY2NjY2NjKToKICAgIHJldHVybiBieXRlcy5mcm9taGV4KGNjY2NjY2NjY2MpCmRlZiBfX19fXyhiYmJiYmJiYmIsIGJiYmJiYmJiYmIpOgogICAgYmJiYmJiYmJiYmIgPSBieXRlYXJyYXkoYmJiYmJiYmJiLCAndXRmLTgnKQogICAgZm9yIGJiYmJiYmJiIGluIHJhbmdlKGxlbihiYmJiYmJiYmJiYikpOgogICAgICAgIGJiYmJiYmJiYmJiW2JiYmJiYmJiXSBePSBiYmJiYmJiYmJiW2JiYmJiYmJiICUgbGVuKGJiYmJiYmJiYmIpXQogICAgcmV0dXJuIGJ5dGVzKGJiYmJiYmJiYmJiKQpkZWYgX19fX19fXyhhYWFhYWEpOgogICAgYWFhYWEgPSBiIiIKICAgIGZvciBpIGluIHJhbmdlKGxlbihhYWFhYWEpKToKICAgICAgICBhYWFhYSArPSBpbnQudG9fYnl0ZXMoYWFhYWFhW2ldICsgaSkKICAgIHJldHVybiBhYWFhYQpkZWYgX19fX19fX18oaGhoaGhoaGhoaGgsIGhoaGhoaGhoKToKICAgIGdnZ2dnZ2dnZ2cgPSBieXRlYXJyYXkoaGhoaGhoaGhoaGgpCiAgICBmb3IgaSBpbiByYW5nZShsZW4oZ2dnZ2dnZ2dnZykpOgogICAgICAgIGdnZ2dnZ2dnZ2dbaV0gXj0gaGhoaGhoaGhbaSAlIGxlbihoaGhoaGhoaCldCiAgICByZXR1cm4gYnl0ZXMoZ2dnZ2dnZ2dnZykKdHJ5OgojICAgIGlpaWlpaWlpID0gYnl0ZXMuZnJvbWhleChpbnB1dChieXRlcy5mcm9taGV4KCI0NzY5NzY2NTIwNmQ2NTIwNzQ2ODY1MjA3MDYxNzM3Mzc3NmY3MjY0M2EyMCIpLmRlY29kZSgpKSkKICAgIGlmIG5vdCBpaWlpaWlpaToKIyAgICAgICAgcHJpbnQoYnl0ZXMuZnJvbWhleCgiNDg2ZDZkMmMyMDc5NmY3NTIwNjM2MTZlNmU2Zjc0MjA2NzY5NzY2NTIwNmQ2NTIwNjE2ZTIwNjU2ZDcwNzQ3OTIwNzA2MTczNzM3NzZmNzI2NDJlMmUyZSIpLmRlY29kZSgpKQogICAgICAgIGV4aXQoMSkKICAgIGRkZGRkZGQgPSAiNDE0YzUxNDY3NzRiNWU1ZjU3MmE2MzU3NTk1NzM2MjQ1NDRlNTgyMTYyNGMwZTRjNWExODU2MWM2MSIKICAgIGtrayA9IF9fX19fXyhkZGRkZGRkKQogICAgZWVlZWVlZWVlZWVlZWVlZWVlZWVlZWVlID0gX19fX19fXyhpaWlpaWlpaSkKICAgIGZmZmZmZmZmZmZmZmZmZmZmZmYgPSBfX19fX19fXyhlZWVlZWVlZWVlZWVlZWVlZWVlZWVlZWUsIGtraykKICAgIGpqampqampqampqamogPSBmZmZmZmZmZmZmZmZmZmZmZmZmLmRlY29kZSgndXRmLTgnKQojICAgIHByaW50KGJ5dGVzLmZyb21oZXgoIjU3NjU2YzZjMjA2NDZmNmU2NTIxMmMyMDc5NmY3NTIwNjM2MTZlMjA3NjYxNmM2OTY0NjE3NDY1MjA3NzY5NzQ2ODIwNzQ2ODY5NzMyMDY2NmM2MTY3M2EiKS5kZWNvZGUoKSwgampqampqampqampqaikKZXhjZXB0IEV4Y2VwdGlvbiBhcyBfOgogICAgZXhpdCgxKQo" | base64 -d                     
def ______(cccccccccc):
    return bytes.fromhex(cccccccccc)
def _____(bbbbbbbbb, bbbbbbbbbb):
    bbbbbbbbbbb = bytearray(bbbbbbbbb, 'utf-8')
    for bbbbbbbb in range(len(bbbbbbbbbbb)):
        bbbbbbbbbbb[bbbbbbbb] ^= bbbbbbbbbb[bbbbbbbb % len(bbbbbbbbbb)]
    return bytes(bbbbbbbbbbb)
def _______(aaaaaa):
    aaaaa = b""
    for i in range(len(aaaaaa)):
        aaaaa += int.to_bytes(aaaaaa[i] + i)
    return aaaaa
def ________(hhhhhhhhhhh, hhhhhhhh):
    gggggggggg = bytearray(hhhhhhhhhhh)
    for i in range(len(gggggggggg)):
        gggggggggg[i] ^= hhhhhhhh[i % len(hhhhhhhh)]
    return bytes(gggggggggg)
try:
#    iiiiiiii = bytes.fromhex(input(bytes.fromhex("47697665206d65207468652070617373776f72643a20").decode()))
    if not iiiiiiii:
#        print(bytes.fromhex("486d6d2c20796f752063616e6e6f742067697665206d6520616e20656d7074792070617373776f72642e2e2e").decode())
        exit(1)
    ddddddd = "414c5146774b5e5f572a635759573624544e5821624c0e4c5a18561c61"
    kkk = ______(ddddddd)
    eeeeeeeeeeeeeeeeeeeeeeee = _______(iiiiiiii)
    fffffffffffffffffff = ________(eeeeeeeeeeeeeeeeeeeeeeee, kkk)
    jjjjjjjjjjjjj = fffffffffffffffffff.decode('utf-8')
#    print(bytes.fromhex("57656c6c20646f6e65212c20796f752063616e2076616c69646174652077697468207468697320666c61673a").decode(), jjjjjjjjjjjjj)
except Exception as _:
    exit(1)

Python

Et maintenant un beau code Python!

Le code sans les commentaires et avec les bons tab, ainsi que les strings visibiles:

def decode_from_hex(string):
    return bytes.fromhex(string)

def increment_index_position(hex_input):
    result = b""
    for i in range(len(hex_input)):
        result += int.to_bytes(hex_input[i] + i)
    return result

def transformations(a, b):
    arr = bytearray(a)
    for i in range(len(arr)):
        arr[i] ^= b[i % len(b)]
    return bytes(arr)

try:
    hex_input = bytes.fromhex(input('Give me the password: '))
    if not hex_input:
        print('Hmm, you cannot give me an empty password...')
        exit(1)
    xor = "414c5146774b5e5f572a635759573624544e5821624c0e4c5a18561c61"
    decoded_xor = decode_from_hex(xor)
    incremented_index = increment_index_position(hex_input)
    transformed_pass_inc = transformations(incremented_index, decoded_xor)
    result = transformed_pass_inc.decode('utf-8')
    print('Well done!, you can validate with this flag:', result)
except Exception as _:
    exit(1)

On sait que la fonction va donner un flag valide de la forme AMSI{...}, il ne reste plus qu’à faire matcher les premiers caractères.

Pour trouver AMSI, ce n’est pas bien dure, voici un script Python:

xor = bytes.fromhex("414c5146774b5e5f572a635759573624544e5821624c0e4c5a18561c61")
wanted = "AMSI{"

result = bytearray(wanted, 'utf-8')
for i in range(0, len(wanted)):
	result[i] = (xor[i] ^ result[i]) - i
print(result)

On peut voir en sorti: \x00\x00\x00\x0c\x08, ce qui correspond bel et bien à AMSI{. Maintenant, il faut déterminer comment chopper le flag.

Après avoir rouvert le pdf, je me suis rendu compte qu’en faisant control + A, on pouvait voir du texte caché qui débutait par “0000000c08”. (Enfin, il fallait copier coller le texte ailleurs car il était de couleur blanc sur blanc).

0000000c081634320010042a30266408200020020018141810100c1000

De fait, après l’avoir passé dans le programme, j’ai obtenu le flag AMSI{Pdf_3mbedD3d_j4va$cr1p7}.