The Evil Files
Challenge
Imported from local notes.md.
Solution
Original Notes
The Evil Files
Challenge Summary
- Given: a single PDF attachment named
challenge.pdfand a description containingSHA1: 2230cff50d7ae8672ab072d275df7057773f11eb. - Goal: recover the flag from the provided document.
- Constraints: no remote interaction; analysis is limited to the downloaded file.
Initial Recon / Triage
- Observations: the attachment is a one-page PDF generated by LibreOffice Writer.
- File identification:
fileandpdfinfoconfirm it is a normal PDF 1.7 document with no encryption or embedded attachments. - Entry points: extract visible text first, then inspect for hidden content only if the flag is not immediately present.
Hypotheses & Approach
- Hypothesis 1: the provided SHA1 is only an integrity check for the PDF, similar to other CIT challenges.
- Hypothesis 2: the flag may already be present in the document body or email headers and can be recovered with
pdftotext.
Execution Steps (Reproducible)
Stage 1
Commands:
cd /root/cit2026CTF/The_Evil_Files
sha1sum starting_files/challenge.pdf
file starting_files/challenge.pdf
pdfinfo starting_files/challenge.pdf
pdfdetach -list starting_files/challenge.pdf
pdfimages -list starting_files/challenge.pdf
Results:
- The PDF hash matched the challenge prompt exactly:
2230cff50d7ae8672ab072d275df7057773f11eb. - The document is a plain one-page PDF with no embedded files and no extracted images.
Stage 2
Commands:
cd /root/cit2026CTF/The_Evil_Files
pdftotext starting_files/challenge.pdf artifacts/visible_text.txt
sed -n '1,40p' artifacts/visible_text.txt
Results:
- The extracted text revealed an email thread.
- The
CC:header contains the flag directly:CIT{m0j0_eng4g3d}.
Artifacts Produced
artifacts/visible_text.txt: text extracted directly from the PDF.
Flag
CIT{m0j0_eng4g3d}