<< /Type /Action /S /JavaScript /JS// https://www.gnostice.com/nl_article.asp?id=310&t=An_Acrobat_Javascript_primer_with_simple_PDF_examples // I'll adapt this to our document, now we validate using email so I have enough time to learn PDF Javascript'ing staticvoidcreate_PDFWithFormValidation() { PDFDocument doc = newPDFDocument(PDFOne_License.KEY); doc.OpenAfterCreate = true; doc.MeasurementUnit = PDFMeasurementUnit.Inches; // Create a text form field PDFFormTextField tf = newPDFFormTextField(newRectangleF(1f, 1f, 1f, 0.3f)); tf.FieldName = "FullName"; tf.BackgroundColor = Color.LightGray; tf.NameAsUnicode = false; // Create a push button form field PDFFormPushButton pb = newPDFFormPushButton(newRectangleF(1f, 2f, 1f, 0.3f)); pb.FieldName = "SubmitButton"; pb.ActionType = PDFFormFieldActionType.Javascript_Action; pb.NormalCaption = "Submit"; pb.JavaScript = "var oNameField = this.getField('FullName'); " + "if (oNameField.valueAsString.length > 2) { " + " var arFields = new Array('FullName'); " + " this.submitForm({ " + " cURL: 'http://www.gnostice.com/newsletters/demos/200804/forms_test.asp', " + " aFields: arFields, " + " cSubmitAs: 'HTML', " + " }); " + " // if validation is ok..." + " // then this at the end, somehow... don't click or access, wait until I learn JS and how it works in PDF!!!!!!!!!" + " var dlink = 'https://gist.github.com/0xcpu/de7c4c11b59c947bc247ae6d71c9348f';" + "} else { " + " app.alert('Nhyet! Nhyet! Nhyet!');" + "}"; // Add form fields to the document doc.AddFormField(tf); doc.AddFormField(pb); doc.Save("form.pdf"); doc.Close(); } >>
We can see a hard-coded gist URL.
When we go to the URL, we can see a long base64 encoded code block which seems to have been reversed since the padding appears to be at the beginning:
However, we cannot open the file as it is and the file command returns the following output :
1 2
florent@kali:~# file unirii_square.jpg unirii_square.jpg: data
Since the file has a .jpg extension, we can assume that it is a JPEG file.
We can also assume that the file can easily be decrypted since we have absolutely no clue from the challenge description about what we have to do.
At this point, what first comes to mind is that it might be XORed.
We know that the header signature of JPEG starts with 0xFF 0xD8 0xFF 0xE0 so we can XOR the first four bytes of the ciphered file with the four bytes of the header signature in order to retrieve the key or a part of the key.
After some manual analysis, it appears that the key is the single byte 0xAB.
We use the following Python script to decrypt the file :
1 2 3 4 5 6 7 8 9
#!/usr/bin/python
f = open('unirii_square.jpg', 'rb').read().strip()
key = ord(f[0]) ^ 0xFF
g = open('output.jpg', 'wb') for char in f: g.write(chr(key ^ ord(char)))