Secret of the Polyglot : picoCtf

Abdelwahab A. Shandy 🦅Abdelwahab A. Shandy 🦅
2 min read

Digital Forensics Report (DFIR)

Case Title: Secret of the Polyglot – picoCTF
Author: syreal
Date: August 23, 2025
Investigator: Abdelwahab Shandy

1) Identification

Description:
A suspicious file named flag2of2-final.pdf was identified. The file raised concerns because it appeared to contain multiple formats simultaneously (both PDF and PNG).

Indicators of Compromise (IOCs):

  • File Name: flag2of2-final.pdf

  • File Size: 3.3 KB

  • Suspicion: The file exhibits dual-format characteristics (Polyglot file).

2) Acquisition

  • The file was downloaded from the challenge server using:

      wget https://artifacts.picoctf.net/c_titan/99/flag2of2-final.pdf

  • An exact copy was saved as SecretofthePolyglot.pdf.

  • An additional version was created as SecretofthePolyglot.png to ensure no data was lost during analysis.

3) Preservation

  • File permissions and integrity were verified to prevent accidental modification during analysis:

    • Permissions: rw-rw-r--

  • A working copy was stored in a separate directory, leaving the original untouched.

  • Access and modification timestamps were documented:

    • Modify Date: 2024-03-12

    • Access Date: 2025-08-23

4) Analysis

File Type Examination:

  • file utility identified the object as a PNG image (50×50).

  • However, embedded PDF data was also detected.

Metadata Analysis (ExifTool):

  • Created using GIMP.

  • Comment field: “Created with GIMP.”

  • Warning: “Trailer data after PNG IEND chunk” → Indicates hidden data appended after the PNG image.

Binwalk Analysis:
Revealed the following structures inside the file:

  • PNG image

  • PDF document version 1.4

  • Zlib compressed data

Data Extraction (binwalk -e):

  • Extraction produced a folder _SecretofthePolyglot.png.extracted.

  • Contents included:

    • 47D → contained ASCII text:

        (1n_pn9_&_pdf_2a6a1ea8})

    • 47D.zlib → compressed data requiring further review.

Results:

  • The first part of the flag was found directly in the PNG image:

      picoCTF{f1u3n7_

  • The second part of the flag was found in the extracted ASCII text:

      1n_pn9_&_pdf_2a6a1ea8}

5) Reporting

Conclusion:
The suspicious file was a Polyglot file containing PNG, PDF, and Zlib compressed segments. Using forensic tools (file, exiftool, and binwalk), both embedded and hidden content were successfully extracted.

Final Flag:

picoCTF{f1u3n7_1n_pn9_&_pdf_2a6a1ea8}

💬 "Control the code, and you control the world." 🔐 From wiping metadata to gaining root access — every step is documented and my goal is to deeply understand the system, not just hack!

Abdelwahab Shandy

Linkedin

GitHub

See You Soon

AS Cyber “)).

0
Subscribe to my newsletter

Read articles from Abdelwahab A. Shandy 🦅 directly inside your inbox. Subscribe to the newsletter, and don't miss out.

Secret of the Polyglot : picoCtffilebinwalk

Written by

Abdelwahab A. Shandy 🦅
Abdelwahab A. Shandy 🦅

Welcome to my profile! I'm an Information Systems student with a strong passion for cybersecurity and backend development. My curiosity drives me to dive deep into the complex mechanisms of the digital world and uncover the behind-the-scenes magic of programming. I hold certifications from Google, Infosec, Cisco, Try Hack Me, and the Information Technology Institute (ITI), I'm on an exciting journey of continuous learning and skill expansion—ready to embrace the future of technology! 🌇 Let’s connect, collaborate, and explore the vast world of tech together!