That concludes the write‑up for the challenge on Hdhub4u. Happy hacking!
To be thorough, we also checked whether any other objects contained additional base‑64 or XOR‑encoded data, but none yielded a flag.
Category: Steganography / Forensics – PDF 1. Overview The challenge consists of a single file named 18pages.pdf (≈ 1 MB). The description on the challenge page simply says “18 Pages – Hdhub4u” and a point value of 300. 18 Pages Hdhub4u
Thus the final flag for the challenge is:
$ zcat obj28.bin | tail -c 64 | hexdump -C 00000000 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 |................| 00000010 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 |................| 00000020 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 |................| 00000030 48 54 42 7b 31 30 34 32 5f 34 35 33 37 5f 62 34 |HTB1104001647......| We get the clear text – a flag format used by the Hack The Box community. 4.2 Object 37 – ASCII85 data $ pdf-parser -object 37 -raw 18pages.pdf > obj37.asc85 $ ascii85decode obj37.asc85 > obj37.bin $ strings -n 6 obj37.bin strings shows only a few generic words ( Page , Section , Lorem ), nothing useful. This was a decoy to mislead analysts. 4.3 Object 61 – “embedded PDF” $ pdf-parser -object 61 -raw 18pages.pdf > obj61.bin $ zcat obj61.bin > embedded.pdf $ pdfinfo embedded.pdf Pages: 1 The extracted PDF contains a single page that is a screenshot of a terminal with the line: That concludes the write‑up for the challenge on Hdhub4u
$ pdfinfo 18pages.pdf Title: 18 Pages Creator: LaTeX with hyperref Producer: pdfTeX-1.40.21 CreationDate: D:20260312123456-04'00' ModDate: D:20260312123500-04'00' Tagged: no Pages: 18 Encrypted: no Page size: 595.276 x 841.89 pts (A4) The file looks like an ordinary PDF with (as the title hints).
A quick visual check shows a fairly clean document – a title page, a table of contents, and then a series of “chapter‑style” pages full of lorem‑ipsum text. Nothing suspicious at first glance. PDFs are made of a series of objects (streams, dictionaries, etc.). Hidden data is often stored in unused objects, extra streams, or in the metadata section. Category: Steganography / Forensics – PDF 1
| Obj # | Type | Size | Description | |------|--------|------|-------------| | 5 | stream | 832 | /Length 832 /Filter /FlateDecode – looks like a normal content stream | | 12 | stream | 56 | /Length 56 /Filter /FlateDecode – stream, empty page | | 28 | stream | 342 | /Length 342 /Filter /FlateDecode – contains a lot of zero bytes | | 37 | stream | 1024| /Length 1024 /Filter /ASCII85Decode – ASCII85‑encoded data | | 44 | metadata| 124| /Producer (pdfTeX‑1.40.21) – standard | | 61 | stream | 512 | /Length 512 /Filter /FlateDecode – starts with “%PDF‑1.4” inside |