[+] Recon

This post spoils a CTF challenge … Don’t read if you want to try it !

SantHackLaus is a Jeopardy CTF challenge. It is organized by IMT Lille Douai. I had a great time solving these challenges :D BretStiles is a forensic challenge. We need to recover the flag from a memory dump.
You can get the archive here.

We just have one file : challenge.dmp.

challenge.dmp is a Windows memory dump. Let’s analyze it with Volatility.

The best profile for this dump was : Win10x64_10586.
First, let’s enumerate the processes in this memory dump with pstree.

volatility -f challenge.dmp --profile=Win10x64_10586 pstree

Nothing special…

volatility -f challenge.dmp --profile=Win10x64_10586 psxview

And no hacky hidden process…

We can read the recently entered commands with “cmdline”. And there is something interesting …

volatility -f challenge.dmp --profile=Win10x64_10586 cmdline

User ‘John’ opened the bob.png picture with paint.exe.
Let’s see if we can recover this picture from paint.exe memory. We first need to dump the process memory to a file, and then explore it with GIMP for example : volatility -f challenge.dmp --profile=Win10x64_10586 memdump -p 3372 -D ..

Finally… We found the flag at offset=320140667, width=332, height=350 in RGB Alpha mode.

Flag is : IMTLD{1m4gin4ti0N}.

[+] Bye

Feel free to tell me what you think about this post :)