Hoarded Flag
Writeup for Hoarded Flag (Forensics) - 1337UP LIVE CTF (2024) 💜
Challenge Description
My friend said they are going to make an insane new crypto challenge and I have to solve it but.. I hate crypto ðŸ˜
I saw them making a flag but didn't catch the text. When they left room I tried to open the file but they password protected it?! I can't believe they wouldn't trust me around their computer like that!! 😤
Anyway, I figured I'd take a snapshot to have a better look later.. Maybe you can help?
Solution
It's a memory dump, so we can analyse with volatility
Iterate through each of the plugins, looking for useful info. One of those plugins checks the cmdline
and reveals some interesting command.
python vol.py -f memory_dump.raw windows.cmdscan
** 1032 conhost.exe 0x23442febbf0 _COMMAND_HISTORY.CommandBucket_Command_1 0x2344310e0e0 7z a -pScaredToDeathScaredToLook1312 -mhe flag.7z flag.zip
So, 7z
was used to encrypt a flag using the password ScaredToDeathScaredToLook1312
🤔
Search for these files with the filescan
plugin.
python vol.py -f memory_dump.raw windows.filescan | grep flag
0xb20dbd74d5f0.0\Users\cat\Desktop\flag.zip
0xb20dbd74e720 \Users\cat\Desktop\flag.7z
Download one of those (password for both is the same)
python vol.py -f memory_dump.raw windows.dumpfiles.DumpFiles --virtaddr 0xb20dbd74e720
Finally, extract the flag: 7z x flag.zip
Flag: INTIGRITI{7h3_m3m0ry_h0ld5_7h3_53cr375}
Last updated