Challenge categories: Web exploitation
Challenge Name: Direct Login
Challenge Information
This challenge involves a PDF file containing hidden information. While PDFs are commonly used in organizations, many are unfamiliar with the potential for information disclosure through these files.
The challenge description provides information about the PDF file and details about the challenge itself.
Download the music producer's (D34DM0053) open letter by clicking the provided link.
After downloading and reviewing the letter, it was observed that it doesn't contain any sensitive information about the producer's identity.
The letter doesn't contain any flags or sensitive information, so the only thing left to examine is the Exif data in the file.
EXIF (Exchangeable Image File Format) metadata is additional information embedded in files such as images, PDFs, etc. It's commonly found in photos taken by digital cameras, smartphones, and other imaging devices.
EXIF data contains the following key information embedded in files:
- camera Settings information
- Image Information
- Geolocation Data
- Thumbnail
- software information
- device information
To extract the metadata from the file, we'll use ExifTool.
ExifTool is a free, open-source program that reads, writes, and manipulates metadata in images, audio files, videos, and PDFs.
To install ExifTool, use the following command:
Command: “sudo apt install libimage-exiftool-perl”
After installing ExifTool, use the following command to view the PDF file's metadata:
Command: “exiftool <filename.pdf>”
Upon examination, you'll notice that the Author field contains the flag value.
To address this type of vulnerability, consider the following points:
- It is recommended to strip all metadata from the image once it is uploaded into the application.
0 comments:
Post a Comment