Skip to content

SECURE_CONNECTION//PRESS[CTRL+J]FOR ROOT ACCESS

BACK TO INTEL
ForensicsMedium

Vn Ultra

CTF writeup for Vn Ultra from Vianu CTF

//VN Ultra

Flag: CTF{I5_th1s_r3dacted}

>1) Challenge summary

We are given a single archive, VN-ultra.zip, described as an “old classified document” with “missing details”. This strongly hints at redaction or hidden text inside a document (common in forensics: PDFs containing images, layered text, or poorly redacted content).

Goal: recover the missing details and output the flag in CTF{...} / Vianu_CTF{...} format.

>2) Initial triage (what’s in the folder?)

Start by listing the directory and identifying file types:

bash

ls -la

file -b *

Observed:

  • VN-ultra.zip (a zip archive)
  • VN-ultra.zip:Zone.Identifier (Windows “Mark of the Web” metadata; not important here, but confirms it came from Windows)

>3) Inspect the archive without extracting

Before unpacking anything, it’s good practice to list the zip contents:

bash

unzip -l VN-ultra.zip

Result: the zip contains exactly one file:

  • VN-ultra.pdf

Then extract:

bash

rm -rf extracted

mkdir -p extracted

unzip -q VN-ultra.zip -d extracted

>4) Understand the PDF structure (why this matters)

When a CTF gives a PDF, there are usually 3 common hiding places:

  1. Selectable text (copy/paste or pdftotext)
  2. Attachments embedded in the PDF (pdfdetach)
  3. Rasterized pages (each page is an image; you must extract and process images)

We check metadata and structure:

bash

pdfinfo extracted/VN-ultra.pdf

pdfdetach -list extracted/VN-ultra.pdf

pdftotext extracted/VN-ultra.pdf extracted/text.txt

Key observation from pdfinfo:

  • Producer: img2pdf and the PDF had only 3 pages.

This is a big clue: img2pdf usually means “PDF made from images”, i.e. each page is likely a JPEG/PNG.

Also:

  • pdfdetach reported 0 embedded files.
  • pdftotext produced essentially nothing (consistent with image-only pages).

So the correct direction is: extract images from the PDF.

>5) Extract page images from the PDF

Use pdfimages (Poppler) to pull out embedded images:

bash

mkdir -p extracted/images

pdfimages -all extracted/VN-ultra.pdf extracted/images/page

This produces:

  • extracted/images/page-000.jpg
  • extracted/images/page-001.jpg
  • extracted/images/page-002.jpg

At this point, you can already open them in an image viewer. But the challenge says “missing details”, which commonly means text was ‘redacted’ with black/white overlays or very low-contrast text.

>6) Confirm the theme with OCR (optional, but good recon)

Even if OCR doesn’t directly reveal the flag, it helps confirm we’re looking at a “document page image” and can reveal keywords that suggest where to focus.

We can run OCR with tesseract (often improves readability):

bash

mkdir -p extracted/ocr

for f in extracted/images/page-*.jpg; do

  base=$(basename "$f" .jpg)

  convert "$f" -colorspace Gray -contrast-stretch 0.5%x0.5% -sharpen 0x1 "extracted/ocr/${base}.png"

  tesseract "extracted/ocr/${base}.png" "extracted/ocr/${base}" -l eng --dpi 300

done

This confirmed these are “internal document” style pages and contained “restricted” language, “redaction-like” areas, etc.

>7) The core idea: defeat weak redaction by image enhancement

In real forensics, a common mistake is to “redact” by drawing a translucent overlay or using a dark highlight that still preserves underlying contrast.

If the hidden text is still present in pixel values (even faintly), you can often recover it by:

  • gamma adjustment
  • contrast stretching
  • thresholding
  • inversion

We generated enhanced variants for each page to try multiple “reveal” techniques:

bash

mkdir -p extracted/reveal

for f in extracted/images/page-*.jpg; do

  base=$(basename "$f" .jpg)

  # 1) Gamma (brighten or darken midtones)

  convert "$f" -gamma 0.5 "extracted/reveal/${base}_gamma_0.5.png"

  convert "$f" -gamma 2.0 "extracted/reveal/${base}_gamma_2.0.png"

  # 2) Contrast stretch (expand dynamic range)

  convert "$f" -colorspace Gray -contrast-stretch 0.5%x0.5% "extracted/reveal/${base}_gray_stretch.png"

  # 3) Hard threshold (sometimes reveals faint text edges)

  convert "$f" -colorspace Gray -threshold 50% "extracted/reveal/${base}_threshold.png"

  # 4) Invert (sometimes makes light-on-dark obvious)

  convert "$f" -negate "extracted/reveal/${base}_invert.png"

done

Why gamma worked here

  • gamma changes the mapping of midtones without simply “making everything brighter”. This is often exactly what you need when text is present but compressed into a narrow brightness range under a “redaction” overlay.

>8) Locate the flag

After generating the reveal variants, the breakthrough came from viewing:

  • extracted/reveal/page-002_gamma_2.0.png

image.png

image.png

The hidden/redacted text became readable, and the flag was visible:

CTF{I5_th1s_r3dacted}

>9) Tools used (everything that mattered)

Primary (core solve path):

  • unzip — extract the provided archive
  • pdfinfo — identify PDF metadata and confirm it’s image-based
  • pdfimages — extract embedded page images from the PDF
  • convert (ImageMagick) — apply gamma/contrast/threshold/invert transformations
  • Image viewer (xdg-open / system viewer) — manually confirm the revealed flag

Secondary / supporting triage (useful to rule out other hiding methods):

  • file — identify file formats quickly
  • pdftotext — confirm there is no selectable text layer
  • pdfdetach — confirm there are no embedded attachments
  • tesseract — OCR for recon and keyword hints
  • strings, binwalk, exiftool, steghide — quick checks to ensure the flag wasn’t embedded in metadata, appended payloads, or stego

>10) How I knew to try this approach (reasoning chain)

  • The prompt mentions “classified documents” + “missing details” → classic redaction theme.
  • pdfinfo showed img2pdf → likely the PDF is just images.
  • pdftotext returned nothing → confirms no normal text layer.
  • Once you have page images, “missing details” usually means low contrast or partially obscured text.
  • Image enhancement (gamma/levels/threshold) is a standard forensic step for recovering faint content.
  • Page 3 (page-002) was the correct target, and gamma 2.0 revealed the hidden string.

>11) References

These are the key references for the exact tools/techniques used: