Rating:
Description
I found someone using my personal computer to do something shady. Fortunately, I have recorded these actions in time, you can check what he did on my computer. The reward is a flag for you.
Solution
This was really nice and easy challenge but I wasted hours on this one.
We are given a .raw
file so we can use volatility on this one.
We can use --profile=WinXPSP2x86
for further analysis.
Now if we focus on the description it says I have recorded these actions in time
so I decided to use the timeliner
plugin.
At first it gave out lot of crap so I decided to grep it for flag
.
There were two files refering to flag
i.e flag.txt.txt
and flag.rar
.
So now we need to extract those files and see which one has the real flag.
This is where I wasted hours. For some reason I could't figure out how to dump those files :man_facepalming: even though it's like the basics of volatility
. I knew I need to use dumpfiles
plugin but it kept on giving me shit load of output, which were hard to analyze.
After an hour or so I realised I can dump particular files providing the physical offset of those files and we can use the filescan
plugin for that.
At first filescan gave lot of output so I grepped it for Games
since the path we are looking for have Games
in it.
we have the physical offset now, we can simply dump this file.
We expected a rar
file but it's a general .dat
file. Runing Strings
on this file it shows the rar
header.
This mean it's a rar file but a bit messed up. To see what's wrong with the file headers I used xxd
command
as we can see the headers of the rar file is reversed meaning the very first pair should be 52
then 61
then 72
but that was in the end of the file.
Something like:
We can reverse the headers and then we can get the proper rar file. I was trying to do this via python code but @pusher found a very quick and better solution.
< input.dat xxd -p -c1 | tac | xxd -p -r > file.rar
Using this we'll get the rar file and that rar is be password protected. I simply grepped the .raw
file for password
.
Using the password hu5ky_4nd_f0r3n51c
we can extract the flag.txt
from the flag.rar
FLAG: ISITDTU{1_l0v3_huskyyyyyyy<3}
Since the flag was in the flag.rar
I decided to see what was in the flag.txt.txt
. After dumping that file and running strings on it I found a fake flag ISITDTU{f4k3_flagggggggggggggggggggggggg}
.
You can also find this fake flag by using strings
on the main memory dump and grepping for ISITDTU