Descripiton
We are provided with a Memory dump and was asked to decrypt the encrypted contents of an archive file.
To get the entire description and other details, visit Hacktoria.
We shall use Volatility to extract useful evidences from the provided memory dump.
For this challenge, I will be using Volatility 2. Get it from official github repo
Initial Analysis
Let’s start our analysis by finding the profile of the memory dump provided.
$ vol.py -f .\CompromisedSystemMem.vmem imageinfo
As you can see from the above image, the identified profile is: Win7SP1x86_23418
Let’s use that profile and check what all processes were running at the time of capturing this memory dump.
Running Processes
We shall use pslist
plugin from volatility to get all the process that are running at the time of memory capture.
$ vol.py -f .\CompromisedSystemMem.vmem --profile=Win7SP1x86_23418 pslist
As we can see from the above image(highlighted in RED), processes, cmd.exe, conhost.exe and ipconfig.exe got exitted and the content might not be available in memory to investigate.
We can also see that notepad.exe
process is running, which means, there are some text files open on the system when the memory capture.
To find these text files we can make use of handles
or filescan
plugins.
Finding the text file
We shall use the filescan plugin and grep through these entries to get all the text files.
$ vol.py -f .\CompromisedSystemMem.vmem --profile=Win7SP1x86_23418 filescan | Select-String "\.txt"
Two important things to notice are note.txt and Flag.txt files.
Let’s try to dump the Flag.txt file using dumpfiles
plugin and check its retrieved contents.
$ vol.py -f .\CompromisedSystemMem.vmem --profile=Win7SP1x86_23418 dumpfiles -Q 0x000000003d9339a0 -D .
From the above image, we can see it is a Datasource object to the contents for this file have been retrieved successfully.
We can see that we have successfully retrieved the flag.
Flag
Hacktoria{You_4nalyz3d_m3m0ry_AND_Cr4ckED_PASSW0rd}
Now let’s use this flag as the password for the FLAGFILE provided to retrieve the contract card.