picoCTF Forensics Guide

Secret of the Polyglot

Name: The Network Operations Center (NOC) of your local institution picked up a suspicious file, they're getting conflicting information on what type of file it is. They've brought you in as an external expert to examine the file. Can you extract all the information from this strange file? Download the suspicious file here.                
Author: syreal
Tags: Easy, Forensics, picoCTF 2024, file_format, polyglot
Challenge from: picoCTF 2024
Files: flag2of2-final.pdf
Hints:
1. This problem can be solved by just opening the file in different ways

Theory

According to the description, to get the flag we have to "open a file in different ways". Huh. So we only get that pdf file, we'll see what it is later, but it says 2 of 2, so that means it's the second half of the flag. I don't want to spoil much because this is a fun challenge, but in the tags it says file_format, so that means the file is going to be a different format, but how? Maybe we could use file to know what it is, but if it's really different file formats inside of a single file, then maybe that'll confuse the machine or something? Idk, I'll upload it to VirusTotal because that's what I do with every file I find that I have no clue what it does or idk I just do because it's fun I guess. But enough of that! Let's just upload that to VT and see what happens.

Solution

So if we upload it, we get:

0/63 undetected malicious
SHA-256: 846d9b5bb6b9eba5cb75d7a2deada3a417969d280631e69cba32c8433541d3ee
Name: flag2of2-final.pdf
Size: 3.28 KB
Last Analysis Date: 6 months ago
Tags: png

No way, It's a png file! Let's change the file extension and see what it is:

Ok, that seems like the first half of the flag, now let's see the pdf:

Now let's just write what the image says and copy the text from the pdf, and join them, so we get this:

picoCTF{f1u3n7_1n_pn9_&_pdf_90974127}

There we go! That's the flag.

I rated this level as "good"! :3