You can find the challenges here.

• Description

My sister's computer crashed. We were very fortunate to recover this memory dump. Your job is get all her important files from the system. From what we remember, we suddenly saw a black window pop up with some thing being executed. When the crash happened, she was trying to draw something. Thats all we remember from the time of crash.

• Volatility Profile

I chose the first suggested profile Win7SP1x64 as this is a small raw image, and imageinfo plugin is accurate enough.

• Highlights

1 - Black popup tells me that I need to look into cmd.

2 - “Draw something” tells me that I should look into paint.

• Flag 1

I ran the consoles plugin on the image. It dumped the commands that was executed by cmd. Then, I found something unusual.

I decoded it and had the first flag.

flag{th1s_xxxxxxxxxxxx}

• Flag 2

This one is a bit tricky because we are trying to open some paint that was opened during the acquisition of the memory dump.

So, after searching a bit, it turns out that we can open a memory dump using photo editors. I used Gimp.

I dumped the process using the memdump plugin. Then, we need to rename 2424.dmp to ANY_NAME.data to allow Gimp to read it without any problem.

Loading the image to Gimp, then choosing RGB Alpha profile and playing with offset, width, height, and reversing the image, we are able to see the flag.

I wrote the flag down.

flag{G00d_BoY_xxxxxx}

• Flag 3

I actually found the 3rd flag when exploring the cmd.

I ran cmdline plugin and found something interesting.

As shown, WinRAR.exe was opened and it has been opening a RAR file. So, logically, we want to see the contents of this file. To do so, we need to get the physical offset and dump it on the machine.

My plan plugin-wise was:

filescan (with the amazing grep) ==> dumpfiles

After dumping the RAR file and opening it, we see that is encrypted with the uppercase NTLM hash of Alissa’s password. In order to get it, we use hashdump plugin. After uppercase-ing the hash, we are able to open the image, and the flag was there.

I wrote the flag down.

flag{w3ll_3rd_stagxxxxxxxxxxxx}

• Description

One of the clients of our company, lost the access to his system due to an unknown error. He is supposedly a very popular "environmental" activist. As a part of the investigation, he told us that his go to applications are browsers, his password managers etc. We hope that you can dig into this memory dump and find his important stuff and give it back to us.

• Volatility Profile

I chose the first suggested profile Win7SP1x64 as this is a small raw image, and imageinfo plugin is accurate enough.

• Highlights

1 - He is a popular “environmentalist“ tells me I should go look into Environment Variables.

2 - “Browsers” tells me to go to the browsers’ logs.

3 - “Password Managers” tells me to look into password managers in files or processes.

• Flag 1

To look into environment variables in memory dumps using volatility, envars command is the way to go.

I noticed that there is a NEW_TMP variable that was set and encoded.

I decoded it and got the flag.

flag{w3lc0m3_xxxxxxxxxxx}

• Flag 2

I ran the pslist plugin to see if the dump contained any browsers or password manager processes, and it did.

1 - Browsers: chrome.exe

2 - Password Managers: KeePass.exe

Then I had to look into the cmdline to see which processes were run using the command line.

After googling what a .kdbx file is. I found that it is the KeePass database the stores the passwords. Very good. However, it is encrypted, and to open it we either need a master passphrase or a key file with .key or .keyx. I ran the filescan plugin to see the physical address of the database and dumpfiles to dump it.

Then, I downloaded KeePass portable to open the database. However, we have one problem. The key to decrypt it. My first guess was to crack it using John-The-Ripper, but I failed because it took a long time. My second guess was to filescan a .key or .keyx files, but found nothing. My third and final guess to look for the word “pass” in cached files.

I found an interesting file.

I opened the png image and the password was in the bottom right corner (I did not see it the first time tbh). Then, I imported the database in KeePass and used the master passphrase to decrypt it. And there was the flag waiting for me.

I copied the flag password into a notepad.

flag{w0w_th1s_1sxxxxxxxxxxxxxxxx}

• Flag 3

The browser is all that is left. I knew that chrome stores its history in a SQLite database named history in the AppData directory. So I filescanned the memory dump. Then, I dumped the file and opened it in SQLite Browser.

I opened the urls table, and found a Mega link.

I opened it in the browser. I found a zip file. I downloaded it.

It was encrypted with the hash of the 1st flag from Lab-1, all lowercase.

The flag was in the image. I wrote it down.

flag{oK_So_Now_St4g3_3xxxxxxxxxxxxxx}

• Description

A malicious script encrypted a very secret piece of information I had on my system. Can you recover the information for me please?

• Volatility Profile

I chose the first suggested profile Win7SP1x86_23418 as this is a small raw image, and imageinfo plugin is accurate enough.

• Highlights

1 - “script” tells me that there is a script involved, maybe in the cmdline.

2 - The challenge needs steghide, most likely for an image.

• Flag 1 — 1st half

I ran the cmdline plugin. I noticed to files.

Let us dump them to see what they contain.

In order to regain the original value, we need to reverse the operation. We take the value stored in vip.txt, decode it using base64 and then XORing it with 3. I used CyberChef.

I did that and got the first half of the flag.

inctf{0n3xxxxxxxx

• Flag 1 — 2nd half

So, steghide is a tool that deals with image steganography. I ran filescan plugin to look for pictures with different image extensions (.jpg, .jpeg, etc.).

I found a file named suspision1.jpeg, so I ran steghide on it in my Kali machine with first half of the flag as a password. Then, I got the 2nd half.

I concatenated the two halves, and got the whole flag.

inctf{0n3_xxxxxxxxxxxx1s_n0t_xxxxxxxx}

Flag submission is through email. I submitted it for the three challenges and was successful in all of them.