Skip to main content
HashnodeCyberWithSharon

Command Palette

Search for a command to run...

Confidential - PDF x QR Code Scan (TryHackMe)

Updated
2 min read
Confidential - PDF x QR Code Scan (TryHackMe)
J
Jebitok

Software Developer | Learning Cybersecurity | Open for roles *

If you're in the early stages of your career in software development (student or still looking for an entry-level role) and in need of mentorship, you can reach out to me.

Introduction

This challenge focuses on PDF forensics and steganography techniques. The scenario involves a confidential document from alleged "black hat hackers" containing a hidden QR code that's been covered by another image layer. Our objective is to extract and decode this QR code to retrieve a secret invite code.

  • Challenge Category: Digital Forensics

  • Skills Required: PDF analysis, image extraction, basic Linux command-line tools

  • Key Learning Points: Understanding PDF structure, extracting embedded objects, and recognizing layered content obfuscation

Confidential

We got our hands on a confidential case file from some self-declared "black hat hackers"... it looks like they have a secret invite code available within a QR code, but it's covered by some image in this PDF! If we want to thwart whatever it is they are planning, we need your help to uncover what that QR code says!

Access this challenge by deploying the machine attached to this task by pressing the green "Start Machine" button. This machine shows in Split View in your browser, if it doesn't automatically display you may need to click "Show Split View" in the top right.

The file you need is located in /home/ubuntu/confidential on the VM.

Check out similar content on TryHackMe:

Answer the questions below

  1. Uncover and scan the QR code to retrieve the flag! flag{e08e6ce2f077a1b420cfd4a5d1a57a8d}

pdfimages -all Repdf.pdf output_prefix
ubuntu@thm-confidential:~/confidential$ ls  
Repdf.pdf  output_prefix-000.png  output_prefix-001.png  output_prefix-002.png
ubuntu@thm-confidential:~/confidential$

opened out_prefix-001.png and scanned it.

Conclusion

This challenge demonstrated a common technique used in PDF-based steganography: hiding information by layering images on top of each other. By using pdfimages, we were able to extract all embedded images from the PDF file separately, revealing the hidden QR code that was obscured in the original document.

Key Takeaways:

  • PDFs can contain multiple image layers that may not all be visible in standard viewers

  • The pdfimages utility is essential for extracting embedded images for forensic analysis

  • Attackers may hide sensitive information within document objects, making metadata and object extraction critical skills in digital forensics

  • Always examine all extracted artifacts individually, as hidden content may only be visible when isolated from other layers

This technique is commonly used in real-world scenarios for both malicious purposes (data exfiltration, hidden communications) and legitimate ones (watermarking, copyright protection). Understanding how to extract and analyze PDF components is a fundamental skill in cybersecurity investigations.

#digital-forensics#pdf#qrcode#tryhackme#ctf-writeup
44 views

Comments

Join the discussion

No comments yet. Be the first to comment.

More from this blog

C

CyberWithSharon

432 posts