We are provided with a Windows 7 memory dump. Let us begin our initial level of analysis.
Let’s start with the running processes.
Initial Analysis
$ volatility -f MemoryDump_Lab5.raw --profile=Win7SP1x64 pslist
As we can WinRAR.exe is running, that imply that the user might opened a RAR archive. So lets check for a RAR file in the whole memory.
$ volatility -f MemoryDump_Lab5.raw --profile=Win7SP1x64 filescan | grep rar
As we can see that there is a rar archive present in the memory. So lets dump it and check it.
We have dumped the rar. Let us check extracting it and check the contents present in it.
As we can see that, it is asking for the password. And the description says that You'll get the stage 2 flag only when you have the stage 1 flag. So let us find the first flag.
Flag 1
As we seen the pslist output, we can’t find any suspicious process running. So lets check the explorer history. For this we will use iehistory plugin.
$ volatility -f MemoryDump_Lab5.raw --profile=Win7SP1x64 iehistory
We can see a bmp file being accessed. And file name seem to be suspicious and its a base64 string. So lets decode it.
After decoding it we got the flag: flag{!!w3LL_d0n3_St4g3-1_0f_L4B_5_D0n3!!}
Flag 2
So let’s use the flag that we got as the password for the rar archive.
Hoorah! We got it extracted.
That’s how you finish this MemLabs, Lab – 5.
If you like my solution, please do share it. I’m availabe on Twitter: @NihithNihi