Help Me,Memory Forensics Shakti 2021
Shakti took place over the weekend and I happened to miss out, but i got a memory forensics challenge before it ended and i found it interesting
Challenge
1Help Me
2400
3re memory
4
5Our department had taken up the responsibility of solving a mysterious case but unfortunately our system crashed. We could only recover this memory dump. Your job is get all the important files from the system and use the files to find out the secret informatiom.
6
7Note : The flag consists of 3 parts.
8
9Challenge Link - [Link](https://mega.nz/file/Qm5m0DJa#pr7uBldobIRECbBaRPPC6z6c40cMjeseHaOyuxplev8)
10
11Challenge Author - v1Ru5 & bl4ck_Widw
Tasks
determine the profile
find all the three parts of the flag
some reversing
Solution
volatility -f Challenge.vmem imageinfo - determine the profile which we get as Win7SP1x64
- Basic recon
list all the processes and check if any looks suspicious using module
pslist
nothing rings a bell
…
proceeding the next step using cmdscan or consoles modules to check recent commands
and we get a base64 encoded string
decoding that give us the first part of the flag
1┌─[skoki@parrot]─[~/Desktop/CTFs/shakti]
2└──╼ $echo UGFydCAxlC0gc2hha3RpY3Rme0gwcDM= | base64 -d
3Part 1�- shaktictf{H0p3
the second part of the flag was in files found using filescan module which reveals a ‘Part II.png’ file
dumped by it’s offset using dumpfiles module
…
we get an image file
…
running zsteg - on it reveals the 2nd part of the flag as _y0U_l1k3d_
onto the last part of the flag, it was a deleted file, so we couldn’t find it on most of the folders in the memdump,
our last option was to use the mftparser module
volatility -f Challenge.vmem --profile=Win7SP1x64 mftparser > mft_dump
we get a hexdump of a L4STpy.zip
10000000000: 50 4b 03 04 14 00 00 00 08 00 49 83 82 52 c5 07 PK........I..R..
20000000010: 91 03 96 01 00 00 8d 03 00 00 0b 00 00 00 4c 34 ..............L4
30000000020: 53 54 2e 70 79 2e 74 78 74 8d 53 5d 6b c2 30 14 ST.py.txt.S]k.0.
40000000030: 7d 5e c1 ff 70 0d 0c 1b 3a 3b 26 4e a1 98 87 31 }^..p...:;&N...1
50000000040: f6 03 7c f3 03 07 5d 8d 9a b5 26 25 49 41 1f f6 ..|...]...&%IA..
60000000050: df 77 d3 d8 aa c3 81 79 49 ee d7 b9 e7 5c 6e 0c .w.....yI....\n.
70000000060: 1b 76 82 e0 c8 96 2b bc 16 fe ca f1 0a 3a c1 94 .v....+......:..
80000000070: 91 6a 37 18 7f 09 95 54 f3 c9 41 bf c5 04 83 6b .j7....T..A....k
90000000080: be 81 23 37 a1 90 25 4d 30 0b f0 18 eb 0b dd 7b ..#7..%M0......{
100000000090: a3 34 08 10 12 74 2a b7 1c c2 82 cb 3a b7 4d f6 .4...t*.....:.M.
1100000000a0: 05 71 5a 96 5c ae c3 6c a7 43 a5 d7 2e 65 29 56 .qZ.\..l.C...e)V
1200000000b0: b4 2f a2 21 a5 27 a8 52 0b 69 c3 5e 2f fe 56 42 ./.!.'.R.i.^/.VB
1300000000c0: 86 c6 d2 88 fc 10 7a e2 f0 be e3 59 2e 3c 76 72 ......z....Y.<vr
1400000000d0: b3 f7 ed d6 62 d3 fa 27 6c 7c 15 72 67 f1 1f b1 ....b..'l|.rg...
1500000000e0: 97 48 b4 c4 dc e1 85 e1 49 27 b8 ab d8 6b 72 19 .H......I'...kr.
1600000000f0: 9a db 4a cb 56 d3 82 36 72 ac 3e a2 6d f9 c1 3e ..J.V..6r.>.m..>
170000000100: 19 a7 07 4e e9 a6 2a 2c 30 20 a4 71 dd d0 e8 aa ...N..*,0..q....
180000000110: 50 64 4d e1 21 db a5 1a 0b 9c 0f 5b 77 82 4b e1 PdM.!......[w.K.
190000000120: 2e 16 0b 23 ab 3d d7 22 0b 29 fd 2b c0 f7 8b 58 ...#.=.".).+...X
200000000130: 2b c0 55 a0 76 4a 2f c6 c4 8b 33 54 85 7a b5 07 +.U.vJ/...3T.z..
210000000140: 82 1b 48 10 31 70 50 67 2c 88 c0 f4 47 af 14 1e ..H.1pPg,...G...
220000000150: 61 30 42 03 9f 97 a5 a7 a9 c2 1d ac 3e cf ac fc a0B.........>...
230000000160: 54 9b 9e a8 69 c6 70 f2 95 0d c9 87 b4 5c 43 6d T...i.p......\Cm
240000000170: 24 00 f5 f2 e4 ac 59 1d 3f f3 19 0e dc f9 fd b6 $.....Y.?.......
250000000180: e5 0e 13 f5 4d 19 cb db e5 f0 21 32 57 2a 8e a1 ....M.....!2W*..
260000000190: 50 2a 37 50 88 9c c3 51 55 1a 36 45 ba 05 61 20 P*7P...QU.6E..a.
2700000001a0: 53 fb b2 e0 96 77 bb a4 e1 e5 fe c9 cc 19 41 ad S....w........A.
2800000001b0: eb 1a 0d bb 43 ba 4d 85 4c 9e 91 58 1d f9 05 50 ....C.M.L..X...P
2900000001c0: 4b 01 02 1f 00 14 00 00 00 08 00 49 83 82 52 c5 K..........I..R.
3000000001d0: 07 91 03 96 01 00 00 8d 03 00 00 0b 00 24 00 00 .............$..
3100000001e0: 00 00 00 00 00 20 00 00 00 00 00 00 00 4c 34 53 .............L4S
3200000001f0: 54 2e 70 79 2e 74 78 74 0a 00 20 00 00 00 00 00 T.py.txt........
330000000200: 01 00 18 00 da a8 f1 ce ae 27 d7 01 35 ee 46 c8 .........'..5.F.
340000000210: ae 27 d7 01 35 ee 46 c8 ae 27 d7 01 50 4b 05 06 .'..5.F..'..PK..
350000000220: 00 00 00 00 01 00 01 00 5d 00 00 00 bf 01 00 00 ........].......
360000000230: 00 00 ..
save that in a txt file,then
cat file.txt | xxd -r > L4STPY.zip
7z x L4STPY.zip
we get a python code that we need to reverse to get the last part of the Flag
1s=4
2
3y=[]
4
5Z=[]
6
7k=[]
8
9Q="uh27bio:uY<xrA."
10
11def yes(inp):
12
13 st=[]
14
15 for i in range (len(inp)):
16
17 st.append(chr(ord(inp[i])-i+4))
18
19 print(''.join(st)+"}")
20
21def Checkin(inp):
22
23 for i in range(len(inp)):
24
25 if(len(inp)<=7):
26
27 Z.append(chr(ord(inp[i])-1+i))
28
29 else:
30
31 Z.append(chr(ord(inp[i])+4))
32 return(''.join(Z))
33
34def tryin(text,s):
35
36 result = ""
37
38 for i in range(len(text)): char = text[i]
39
40 if(char.isnumeric()):
41
42 result+=(chr(ord(char)-1))
43
44 elif(char.isupper()):
45
46 result += chr((ord(char) + s-65) % 26 + 65)
47
48 else:
49
50 result+=(chr(ord(char)^1))
51
52 return result
53
54X=input("Enter input: ")
55
56k=Checkin(tryin(X,s))
57
58print(k)
59
60if(Q==k):
61
62 print("Yoo.. looks like your flag is complete!!")
63
64 yes(X)
65
66
67else:
68
69 print("try again:/ ")
reversing the python code and running it spits the last part of the flag as ch4lL3ng3!}
Flag:shaktictf{H0p3_y0U_l1k3d_ch4lL3ng3!}
PS: i am told it was worth 400 points and was among the least solved XD