[Forensics] InCTF 2018 - Winter Sport

Winter Sport

======= Difficulty level : Easy ========

I have a friend named Jake.We were watching a football tournament on one fine chilly morning. Meanwhile Jake’s sister Susan did something mischievous which cause Jake to lose some really important data. We could only find this piece of evidence, can you recover it for him?

========== Authors : cr4ck3t, stuxn3t ==========

In this challenge, it is provided a zip file containing a pdf file.pdf where it is possible to find the following message.

Besides this clear message, after running binwalk, we can find that there is another 7z archive.

After extracting this 7z archive it is revealed another pdf, omg.pdf, containing the following characters,

Well at first by opening the pdf in a text editor, we saw the composition of the pdf /ProcSet [/PDF /Text /ImageB /ImageC], saying that it contains 2 images although the pdf seemed to be corrupted, since we tried to extract the images from this pdf and there were some errors (some endstreams were missing and some other stuff regarding the pdf structure file). After we found what it seemed to be the encoding for those characters from the image above and they would translate into “What is Steganography ?Steganography is an amaz” but nothing more than that.
Since we couldn’t find a clear way, we were going to fix the pdf anatomically speaking, and then we saw this.

Well a bunch os spaces and tabs, just on the first 13 lines of the pdf? Due to Sublime Text (where tabs -> “-“ and spaces -> “.”) the idea of being another morse code related challenge, but well how could we find the spaces? what if we were using other text editor? Other options that came to our mind was Whitespace) and due to the message “What is Steganography ?Steganography is an amaz” we searched for steganography whitespace and we found Stegsnow which “is a program for concealing messages in text files by appending tabs and spaces on the end of lines, and for extracting messages from files containing hidden messages“. That was exactly what we wanted. Running it on the given omg.pdf it gave us the flag.

Flag: inctf{w3lcom3_t0_7h3_w0rld_0f_whit3sp4c3}