Description
The Network Operations Center (NOC) of your local institution picked up a suspicious file, they're getting conflicting information on what type of file it is. They've brought you in as an external expert to examine the file. Can you extract all the information from this strange file? Download the suspicious file here.
Setup
Polyglot analysis
Download flag2of2-final.pdf locally.
Install pdftotext (poppler-utils) and an OCR tool such as gocr.
wget https://artifacts.picoctf.net/c_titan/9/flag2of2-final.pdf && \
sudo apt install poppler-utils gocr
Solution
- Step 1Extract the PDF halfUse pdftotext to dump the text portion; it holds the second half of the flag (1n_pn9_&_pdf_7f9...}).pdftotext flag2of2-final.pdf && cat flag2of2-final.txt
- Step 2Treat it as a PNGThe magic bytes also match a PNG. Rename the file with .png and OCR the image to recover the opening characters picoCTF{f1u3n7_.mv flag2of2-final.pdf flag2of2-final.png && gocr flag2of2-final.png | tr -d ' '
- Step 3Combine halvesConcatenate the PNG-derived prefix with the PDF-derived suffix to get the full flag picoCTF{f1u3n7_1n_pn9_&_pdf_7f9...}.
Flag
picoCTF{f1u3n7_1n_pn9_&_pdf_7f9...}
Half PNG + half PDF = full flag.