For this challenge, we get a zip file wih a raw memory dump inside named forensic_100.raw.
First, let's determine which OS is this dump come from :
1 2 3 4 5 6 7 8 9 10 11 12 13 14 15
➜ volatility -f forensic_100.raw imageinfo Volatility Foundation Volatility Framework 2.5 INFO : volatility.debug : Determining profile based on KDBG search... Suggested Profile(s) : WinXPSP2x86, WinXPSP3x86 (Instantiated with WinXPSP2x86) AS Layer1 : IA32PagedMemoryPae (Kernel AS) AS Layer2 : FileAddressSpace (/media/sf_Challenges/CTF/SECCON/forensic_100.raw) PAE type : PAE DTB : 0x34c000L KDBG : 0x80545ce0L Number of Processors : 1 Image Type (Service Pack) : 3 KPCR for CPU 0 : 0xffdff000L KUSER_SHARED_DATA : 0xffdf0000L Image date and time : 2016-12-06 05:28:47 UTC+0000 Image local date and time : 2016-12-06 14:28:47 +0900
➜ ls file.None.0x819a3008.dat forensic_100.raw memoryanalysis.zip
➜ cat file.None.0x819a3008.dat # Copyright (c) 1993-1999 Microsoft Corp. # # This is a sample HOSTS file used by Microsoft TCP/IP for Windows. # # This file contains the mappings of IP addresses to host names. Each # entry should be kept on an individual line. The IP address should # be placed in the first column followed by the corresponding host name. # The IP address and the host name should be separated by at least one # space. # # Additionally, comments (such as these) may be inserted on individual # lines or following the machine name denoted by a '#' symbol. # # For example: # # 102.54.94.97 rhino.acme.com # source server # 38.25.63.10 x.acme.com # x client host
We see a IEXPLORE.EXE. Why don't check its history ?
1 2 3 4 5 6 7 8 9
➜ volatility -f forensic_100.raw --profile=WinXPSP2x86 iehistory Volatility Foundation Volatility Framework 2.5 ************************************************** Process: 1080 IEXPLORE.EXE Cache type "DEST" at 0x201ca83 Last modified: 2016-12-06 14:28:40 UTC+0000 Last accessed: 2016-12-06 05:28:42 UTC+0000 URL: SYSTEM@http://crattack.tistory.com/entry/Data-Science-import-pandas-as-pd Title: Security & Reverse :: [Data Science] Pandas - \),
If we visit this URL without matching the IP adress in the host file, we are on a CTF site. There is no flag on this site...
But, if we match the IP adress with the URL, we have a file to download, and this file hold the flag :-)
Flag : SECCON{h3110_w3_h4ve_fun_w4rg4m3}
Note: We could retrieve the IP adress with the connscan plugin, but it was impossible to determine that the crattack.tistory.com site was associated with this IP adress.