TryHackMe – Confidential Writeup

Room: Confidential
Release Date: 19-08-2022
Difficulty: Easy
Category: Forensics

Scenario

We got our hands on a confidential case file from some self-declared "black hat hackers"... it looks like they have a secret invite code available within a QR code, but it's covered by some image in this PDF! If we want to thwart whatever it is they are planning, we need your help to uncover what that QR code says!

---

Step 1: Access the PDF

Once the machine is deployed, navigate to the target directory:

cd /home/ubuntu/confidential

The file of interest is named Repdf.pdf.

Opening the file, we observe that the PDF contains only a single page, which appears to be a static image. Upon closer inspection, we notice that part of the QR code is visually blocked by a red triangular overlay.

---

Step 2: Extracting Embedded Images

Since tools like binwalk are not installed on the TryHackMe virtual machine (and may be out of scope), we look for an alternative.

Luckily, the VM has a utility called pdfimages, which can extract embedded images from PDF files. We use the following command to extract all images:

pdfimages -png Repdf.pdf ext

This generates three PNG files:

ubuntu@thm-confidential:~/confidential$ ls
Repdf.pdf  ext-000.png  ext-001.png  ext-002.png

---

Step 3: Analyze Extracted Images

Inspecting the images:

• ext-000.png contains the QR code without the overlay.

• ext-001.png and ext-002.png appear to be parts of the overlay or background.

We focus on ext-000.png since it contains the unmasked QR code.

---

Step 4: Decode the QR Code

To extract the flag from the QR code, take a screenshot of ext-000.png or download the file and upload it to a QR code reader. I used CyberChef for decoding.

Once uploaded, CyberChef successfully reveals the embedded text – the flag.

---

🏁 Flag

flag(\*REDACTED**)*