CTF EVENT: H@cktivity Con CTF 2021
DIFFICULTY: Medium
CATEGORY: FORENSICS
AUTHOR: @congon4tor#2334 (Discord)
INTRODUCTION:
Challenge: My computer crashed and I lost everything I was doing for work…
We need to download a .bin file (this is a ~2 GB file). You can download this file here.
The challenge provides us an image.bin file. It says that we need to figure out what he was doing when the pc crashed. At this point, we can already say that it is a memory dump challenge. So we need to know all the processes that were running when it crashed and extract some information from there. In this case, we will work with volatile memory.
As we are talking about volatile memory (the RAM in this case), a good tool to extract information is Volatility.
I first tried to use Volatility 2 but it didn’t work and I was stuck during all the CTF. At that point, I didn’t know that there is another Volatility version, the Volatility3.
The credits of this writeup go to KZA. Go check out some of his writeups here.
I used his writeup to understand the tool. The goal of this writeup is to give more details about all the steps for people (like me) who are beginners in digital forensic.
If you don’t have Volatility3 you can download it here.
THE SOLUTION:
The first thing that we should check is all the processes. In order to list all the processes, we will use the following command:
We see that the process LibreOffice was running when they took the memory dump.
We can try to dump this process (the PID is 1036) to check if there is something interesting there. The only interesting thing that we can find is the path of the potential flag file.
From here, we can try to find all the files with the name « flag ». In order to do this we can use the plugin windows.filescan and use « grep flag » to only show the files containing the word « flag ».
As we know the Offset (0xaa873ab2e740) of this process, we can now dump this file, using the following the plugin windows.dumpfile with the argument — virtaddr (then we indicate the offset of the process):
As soon we dump it, 2 new files will be created in our current directory ( *.flag.ods.dat and *.flag.ods.vacb).
If we try to open the *.flag.ods.vacb LibreOffice says that we need to repair the file in order to open it.
As soon we repair the file we can open it and we see the flag.
Flag : flag{4b02ee4e7b62139152e8d0d4373a7c3d}
CONCLUSION:
I hope you have enjoyed reading this writeup. It was my first time using Volatility3 (I have already used Voltatility2). The logic is the same however the syntax is different. I found two good CHEATSHEET that I will help you in the future.
VOLATILITY CHEATSHEET:
If you want to read more writeups like this one or have any questions, you can find me on Twitter @dropn0w.
Stay safe, stay curious!
