TryHackMe β Confidential Writeup
Room: Confidential
Release Date: 19-08-2022
Difficulty: Easy
Category: Forensics
Scenario
We got our hands on a confidential case file from some self-declared "black hat hackers"... it looks like they have a secret invite code available within a QR code, but it's covered by some image in this PDF! If we want to thwart whatever it is they are planning, we need your help to uncover what that QR code says!
Step 1: Access the PDF
Once the machine is deployed, navigate to the target directory:
cd /home/ubuntu/confidential
The file of interest is named Repdf.pdf.
Opening the file, we observe that the PDF contains only a single page, which appears to be a static image. Upon closer inspection, we notice that part of the QR code is visually blocked by a red triangular overlay.
Step 2: Extracting Embedded Images
Since tools like binwalk are not installed on the TryHackMe virtual machine (and may be out of scope), we look for an alternative.
Luckily, the VM has a utility called pdfimages, which can extract embedded images from PDF files. We use the following command to extract all images:
pdfimages -png Repdf.pdf ext
This generates three PNG files:
ubuntu@thm-confidential:~/confidential$ ls
Repdf.pdf ext-000.png ext-001.png ext-002.png
Step 3: Analyze Extracted Images
Inspecting the images:
ext-000.pngcontains the QR code without the overlay.ext-001.pngandext-002.pngappear to be parts of the overlay or background.
We focus on ext-000.png since it contains the unmasked QR code.
Step 4: Decode the QR Code
To extract the flag from the QR code, take a screenshot of ext-000.png or download the file and upload it to a QR code reader. I used CyberChef for decoding.
Once uploaded, CyberChef successfully reveals the embedded text β the flag.
π Flag
flag(\*REDACTED**)*
