Redaction gone wrong picoCTF 2022 Solution

Published: July 20, 2023

Description

Sensitive text in a PDF was only visually redacted. Convert the PDF to text (or copy/paste) to reveal the hidden flag.

Install pdftotext. On Debian/Ubuntu: sudo apt install poppler-utils. On macOS: brew install poppler.

Run pdftotext Financial_Report_for_ABC_Labs.pdf to create a .txt version, or open the PDF in a viewer that respects text layers (Preview.app on macOS, Foxit Reader, evince) and try to select across the black boxes.

Grep the extracted text for picoCTF.

bash
sudo apt install poppler-utils  # or brew install poppler on macOS
bash
pdftotext Financial_Report_for_ABC_Labs.pdf
bash
grep -oE "picoCTF\{.*\}" Financial_Report_for_ABC_Labs.txt

Solution

Want to try it yourself first?

The guided walkthrough reveals hints one step at a time.

Walk me through it
  1. Step 1
    Convert the PDF
    Observation
    I noticed the challenge PDF used black rectangles placed over text rather than truly removing it, which suggested the underlying text layer was still intact and could be extracted with a tool like pdftotext that reads raw document content instead of rendering visuals.
    Visual redactions don't remove the underlying text. pdftotext extracts everything, including the supposedly hidden sections.
    What didn't work first

    Tried: Opening the PDF in a browser or standard viewer and reading what is visible on screen.

    The black rectangles cover the sensitive text visually, so the viewer shows redacted sections as solid black bars. A beginner assumes the content is gone. The fix is to either use pdftotext to extract the raw text layer or to try selecting and copying text directly in a PDF viewer, which bypasses the overlay.

    Tried: Trying to remove or move the black boxes using a photo editor like GIMP or Photoshop.

    Treating the PDF as an image and editing the black bars only works if the PDF was actually flattened to a raster image. Most PDFs store text and graphics as separate layers, so image editing would only affect the visual output of a screenshot, not the underlying text data. pdftotext reads the text stream directly and is the right approach.

    Learn more

    PDF (Portable Document Format) stores content as a layered document structure. A black rectangle drawn on top of text is a separate visual element - the original text data remains fully intact in the file's content stream. This is fundamentally different from actually deleting or overwriting the text.

    The pdftotext tool (part of the poppler-utils package; install via apt install poppler-utils on Linux or brew install poppler on macOS) strips all visual formatting and extracts the raw text content, bypassing any overlaid shapes. Even simpler: PDF viewers like Preview.app, Foxit Reader, and evince let you select and copy text that appears visually redacted, because the redaction is just a black rectangle drawn on top of the still-intact text layer rather than the text being deleted from the document.

    This is not a theoretical vulnerability - it has caused real-world data breaches. High-profile examples include leaked NSA documents and court filings where sensitive names were "blacked out" using this flawed method. The correct approach is to use purpose-built redaction tools that remove the text from the document, not merely cover it.

  2. Step 2
    Search for the flag
    Observation
    I noticed the extracted text file could span many lines of financial report content, which suggested using grep with the picoCTF flag pattern to immediately pinpoint the flag string rather than scrolling manually.
    Grep the generated text file for picoCTF to immediately locate the flag string.
    What didn't work first

    Tried: Opening the .txt output and scrolling manually to find the flag.

    The extracted text file can span many pages of content, and the flag line may be buried mid-document. Manually scrolling is slow and error-prone. Running grep -oE "picoCTF\{.*\}" against the file immediately pinpoints the flag regardless of where it appears.

    Tried: Grepping for 'picoCTF' without a pattern that captures the full flag, then getting only partial output.

    Using plain grep 'picoCTF' without the -o and -E flags prints the entire line containing the match, which may include surrounding text and make it harder to isolate the flag. The -o flag restricts output to only the matched portion, and the regex .*} ensures the closing brace is included so the full flag value is captured.

    Learn more

    grep -oE "picoCTF\{.*\}" uses an extended regular expression to match the flag pattern. The -o flag prints only the matching portion (not the whole line), and -E enables extended regex syntax like .* for "any characters."

    In forensics and incident response, pattern-matching against extracted text is a core workflow. Tools like bulk_extractor automate this at scale, scanning disk images or raw files for email addresses, URLs, credit card numbers, and other structured data patterns - even across file boundaries in unallocated space.

    Proper document redaction for sensitive material requires tools certified for the purpose, such as Adobe Acrobat's built-in redaction feature (which actually removes content), or dedicated solutions used in legal and government contexts that produce a new, sanitized document with the underlying data permanently removed.

Flag

Reveal flag

picoCTF{C4n_Y0u_S33_m3_f...}

Real-world lesson: always remove sensitive text entirely before distributing redacted documents.

Key takeaway

Drawing a black box over text in a PDF only hides it visually; the underlying characters stay in the document's text layer and reappear the moment you copy the text or run pdftotext. True redaction must remove the data itself, not merely cover it, by flattening to an image or using a tool that deletes the underlying content stream. This exact mistake has leaked classified and legal documents in the real world, where reviewers trusted a visual overlay instead of verifying the bytes were gone.

Related reading

Want more picoCTF 2022 writeups?

Useful tools for Forensics

What to try next