Confidential TryHackMe Walkthrough

Today we will be solving Confidential room from TryHackMe. This is an easy level forensic challenge and recommended for beginners who want to learn digital forensics.

Confidential TryHackMe Walkthrough

In this challenge we are given with a PDF file and inside the PDF, there is a QR code which has been redacted. Our goal is to find the original QR code and read the flag!

First of all we need to start the machine and then you can access the target machine from the split view.

We have a PDF file named Repdf.pdf. When we open the pdf, there is only 1 page and that too is an image.

We need to find the flag from this PDF. First of all I started by using the strings command to check if the flag is hidden inside the metadata. But there was nothing in there.

ubuntu@thm-confidential:~/confidential$ strings Repdf.pdf | less

Next I tried to use binwalk on the file but it wasn't installed in the machine. So most probably that would be out of scope.

If we look closely at the QR code, we can see that the red triangle is made as an overlay. There is an actual QR code beneath it.

There is a tool installed in kali linux named pdfimages that can be used to extract all the images using the following command:

ubuntu@thm-confidential:~/confidential$ pdfimages -png Repdf.pdf ext
ubuntu@thm-confidential:~/confidential$ ls
Repdf.pdf  ext-000.png  ext-001.png  ext-002.png

We got three images! When we checked the first one, we got the original QR code without the red triangle.

We can now scan the QR code and it will give us our flag. (PS: I have blurred the QR code just for the sake of this writeup).

That’s it! Thanks for reading. Stay tuned for similar walkthroughs and much more coming up in the near future!

NOTE: The awesome artwork used in this article was created by Viktor Keri.