Help Me,Memory Forensics Shakti 2021

 

Shakti took place over the weekend and i happened to miss out, but i got a memory forensics challenge before it ended and i found it interesting

Challenge

Help Me
400
re memory

Our department had taken up the responsibility of solving a mysterious case but unfortunately our system crashed. We could only recover this memory dump. Your job is get all the important files from the system and use the files to find out the secret informatiom.

Note : The flag consists of 3 parts.

Challenge Link - [Link](https://mega.nz/file/Qm5m0DJa#pr7uBldobIRECbBaRPPC6z6c40cMjeseHaOyuxplev8)

Challenge Author - v1Ru5 & bl4ck_Widw
  • Tasks

    • determine the profile

    • find all the three parts of the flag

    • some reversing

Solution

volatility -f Challenge.vmem imageinfo - determine the profile which we get as Win7SP1x64

  • Basic recon list all the processes and check if any looks suspicious using module pslist

nothing rings a bell

… proceeding the next step using cmdscan or consoles modules to check recent commands

and we get a base64 encoded string

decoding that give us the first part of the flag

┌─[skoki@parrot]─[~/Desktop/CTFs/shakti]
└──╼ $echo UGFydCAxlC0gc2hha3RpY3Rme0gwcDM= | base64 -d
Part 1�- shaktictf{H0p3

the second part of the flag was in files found using filescan module which reveals a ‘Part II.png’ file dumped by it’s offset using dumpfiles module

we get an image file

… running zsteg - on it reveals the 2nd part of the flag as _y0U_l1k3d_

onto the last part of the flag, it was a deleted file, so we couldn’t find it on most of the folders in the memdump, our last option was to use the mftparser module

volatility -f Challenge.vmem --profile=Win7SP1x64 mftparser > mft_dump

we get a hexdump of a L4STpy.zip

0000000000: 50 4b 03 04 14 00 00 00 08 00 49 83 82 52 c5 07   PK........I..R..
0000000010: 91 03 96 01 00 00 8d 03 00 00 0b 00 00 00 4c 34   ..............L4
0000000020: 53 54 2e 70 79 2e 74 78 74 8d 53 5d 6b c2 30 14   ST.py.txt.S]k.0.
0000000030: 7d 5e c1 ff 70 0d 0c 1b 3a 3b 26 4e a1 98 87 31   }^..p...:;&N...1
0000000040: f6 03 7c f3 03 07 5d 8d 9a b5 26 25 49 41 1f f6   ..|...]...&%IA..
0000000050: df 77 d3 d8 aa c3 81 79 49 ee d7 b9 e7 5c 6e 0c   .w.....yI....\n.
0000000060: 1b 76 82 e0 c8 96 2b bc 16 fe ca f1 0a 3a c1 94   .v....+......:..
0000000070: 91 6a 37 18 7f 09 95 54 f3 c9 41 bf c5 04 83 6b   .j7....T..A....k
0000000080: be 81 23 37 a1 90 25 4d 30 0b f0 18 eb 0b dd 7b   ..#7..%M0......{
0000000090: a3 34 08 10 12 74 2a b7 1c c2 82 cb 3a b7 4d f6   .4...t*.....:.M.
00000000a0: 05 71 5a 96 5c ae c3 6c a7 43 a5 d7 2e 65 29 56   .qZ.\..l.C...e)V
00000000b0: b4 2f a2 21 a5 27 a8 52 0b 69 c3 5e 2f fe 56 42   ./.!.'.R.i.^/.VB
00000000c0: 86 c6 d2 88 fc 10 7a e2 f0 be e3 59 2e 3c 76 72   ......z....Y.<vr
00000000d0: b3 f7 ed d6 62 d3 fa 27 6c 7c 15 72 67 f1 1f b1   ....b..'l|.rg...
00000000e0: 97 48 b4 c4 dc e1 85 e1 49 27 b8 ab d8 6b 72 19   .H......I'...kr.
00000000f0: 9a db 4a cb 56 d3 82 36 72 ac 3e a2 6d f9 c1 3e   ..J.V..6r.>.m..>
0000000100: 19 a7 07 4e e9 a6 2a 2c 30 20 a4 71 dd d0 e8 aa   ...N..*,0..q....
0000000110: 50 64 4d e1 21 db a5 1a 0b 9c 0f 5b 77 82 4b e1   PdM.!......[w.K.
0000000120: 2e 16 0b 23 ab 3d d7 22 0b 29 fd 2b c0 f7 8b 58   ...#.=.".).+...X
0000000130: 2b c0 55 a0 76 4a 2f c6 c4 8b 33 54 85 7a b5 07   +.U.vJ/...3T.z..
0000000140: 82 1b 48 10 31 70 50 67 2c 88 c0 f4 47 af 14 1e   ..H.1pPg,...G...
0000000150: 61 30 42 03 9f 97 a5 a7 a9 c2 1d ac 3e cf ac fc   a0B.........>...
0000000160: 54 9b 9e a8 69 c6 70 f2 95 0d c9 87 b4 5c 43 6d   T...i.p......\Cm
0000000170: 24 00 f5 f2 e4 ac 59 1d 3f f3 19 0e dc f9 fd b6   $.....Y.?.......
0000000180: e5 0e 13 f5 4d 19 cb db e5 f0 21 32 57 2a 8e a1   ....M.....!2W*..
0000000190: 50 2a 37 50 88 9c c3 51 55 1a 36 45 ba 05 61 20   P*7P...QU.6E..a.
00000001a0: 53 fb b2 e0 96 77 bb a4 e1 e5 fe c9 cc 19 41 ad   S....w........A.
00000001b0: eb 1a 0d bb 43 ba 4d 85 4c 9e 91 58 1d f9 05 50   ....C.M.L..X...P
00000001c0: 4b 01 02 1f 00 14 00 00 00 08 00 49 83 82 52 c5   K..........I..R.
00000001d0: 07 91 03 96 01 00 00 8d 03 00 00 0b 00 24 00 00   .............$..
00000001e0: 00 00 00 00 00 20 00 00 00 00 00 00 00 4c 34 53   .............L4S
00000001f0: 54 2e 70 79 2e 74 78 74 0a 00 20 00 00 00 00 00   T.py.txt........
0000000200: 01 00 18 00 da a8 f1 ce ae 27 d7 01 35 ee 46 c8   .........'..5.F.
0000000210: ae 27 d7 01 35 ee 46 c8 ae 27 d7 01 50 4b 05 06   .'..5.F..'..PK..
0000000220: 00 00 00 00 01 00 01 00 5d 00 00 00 bf 01 00 00   ........].......
0000000230: 00 00                                             ..

save that in a txt file,then

cat file.txt | xxd -r > L4STPY.zip

7z x L4STPY.zip

we get a python code that we need to reverse to get the last part of the Flag

s=4

y=[]

Z=[]

k=[]

Q="uh27bio:uY<xrA."

def yes(inp):

    st=[]

    for i in range (len(inp)):

        st.append(chr(ord(inp[i])-i+4))

    print(''.join(st)+"}")

def Checkin(inp):

    for i in range(len(inp)):

        if(len(inp)<=7):

            Z.append(chr(ord(inp[i])-1+i))

        else:

            Z.append(chr(ord(inp[i])+4))
    return(''.join(Z))

def tryin(text,s):
 
    result = ""
 
    for i in range(len(text)):     	char = text[i]

        if(char.isnumeric()):

            result+=(chr(ord(char)-1))

        elif(char.isupper()):
 
            result += chr((ord(char) + s-65) % 26 + 65)
 
        else:
 
            result+=(chr(ord(char)^1))

    return result 

X=input("Enter input:  ")

k=Checkin(tryin(X,s))

print(k)

if(Q==k):

    print("Yoo.. looks like your flag is complete!!")

    yes(X)


else:

    print("try again:/ ")

reversing the python code and running it spits the last part of the flag as ch4lL3ng3!}

Flag:shaktictf{H0p3_y0U_l1k3d_ch4lL3ng3!}

PS: i am told it was worth 400 points and was among the least solved XD

further reading