Tags: forensics

Rating:

# FwordCTF 2020 Writeup
This repository serves as a writeup for FwordCTF 2020 solved by [S3c5murf](https://ctftime.org/team/63808)'s team

## Identity Fraud

**Category:** OSINT
**Points:** 419
**Author:** Cyb3rDoctor
**Description:**

> Someone stole our logo and created a team named "Eword". In order to find him, I created a fake twitter account (@1337bloggs) to join Eword team. Fortunately, they replied to the fake account and gave me a task to solve. So, if I solve it, they will accept me as a team member. ... Can you help me in solving the task?

> Flag Format: Eword{}

**Hint:**

>(no hint)

### Write-up

[@EwordTeam](https://twitter.com/EwordTeam) recommended the user to visit their ctftime's team profile to continue working on this task.

It's possible to search the team Eword in the [Rating page](https://ctftime.org/stats/) on ctftime.org. And 'Eword' is the team name that we are looking for because [@EwordTeam](https://twitter.com/EwordTeam) shared their ctftime's team profile link in their Twitter's profile description.

And this is the team profile: [https://ctftime.org/team/131587](https://ctftime.org/team/131587)

But, as [@EwordTeam](https://twitter.com/EwordTeam) mentioned, it looks like the description was removed from there.

The first thing I thought about was [Wayback Machine](https://archive.org/web/).

I pasted the URL https://ctftime.org/team/131587 and I found that link was indexed on 26/08/2020 and 27/08/2020 which is 2 days before the starting of the CTF.

Then, I choosed the indexed page from 27/08/2020: [archive](https://web.archive.org/web/20200827114614/https://ctftime.org/team/131587)

And that's how we found an extra link from Pastebin: [https://pastebin.com/8bk9qLX1](https://pastebin.com/8bk9qLX1)

So, the real task started and we should find the leader of Eword by following the hint provided in the second Pastebin link: [https://pastebin.com/PZvaSjA0](https://pastebin.com/PZvaSjA0)

As we can see, that link provided a Base64 encoded string. I was saying this is most likely a file but what type of file is this ? And the best way to know that is to decode the Base64 encoded string and to set it into a file and then we use the command file to identify what type of file is that:


file unknown_file


Output:


unknown_file: JPEG image data, JFIF standard 1.01, aspect ratio, density 1x1, segment length 16, baseline, precision 8, 1080x2094, components 3


So, the file was a JPEG file. If you are using a VPS server without GUI as I'm doing, you can download the image from there or view directly the image using the Base64 encoded string from the browser (just copy and paste it in the URL bar):




Having this image, I tried to EXIF it, I tried to search it using the free available reverse image search websites used for OSINT (Google, Bing, Yandex, Tineye) but I was always failing.

Seeing the image it looks like it was shared in a social media network but since we know that not all the shared images are indexed by the search engines so this makes sense. And that's why this part was the most difficult part for me.

And that's where comes the Google dorks tricks. The only thing that we know about this image apart the fact that it seems to be shared on a social media network is it was promoting Hilton hotel.

So by searching for any relation between Eword and Hilton hotel, we can find something that can lead us to the Eword leader.

I tried several search queries until I was satisfied with this one: "eword" hilton hotel.

Someone with the name Wokaihwokomas Kustermann wrote that feedback on 26/08/2020 which matches with the task time range.

I inspected his profile to make sure I'll not be missing anything.

I found that he was recommending to check his instagram profile.

So, by searching for Wokaihwokomas Kustermann on Instagram, I found his profile: [https://www.instagram.com/wokaihwokomaskustermann/](https://www.instagram.com/wokaihwokomaskustermann/)

There was only a shared story that is identical to the image that we were searching for.

In this step, I was stuck again with no other hint because we don't know whether another detail was removed or how can we find the flag until I found that there was another story that I was missing after watching the first story.

Knowing that the user mentioned about a square shaped image and that the Instagram was only showing circular shaped images, I thought about inspecting the image using the Browser's inspection tools (right click -> inspect the element -> select the image -> see the source code of that image -> retrieve the image link -> open it in a new tab).

After doing this, I found the square shaped image.

And the flag was in the part of the image that was hidden by the circule. But the actual image was small. So after failing to retrieve a bigger image by tweaking the URL, I asked Google for a website that retrieve the Instagram profile image in HD. And that's how I found [http://izuum.com/index.php](http://izuum.com/index.php).

I used the Instagram username wokaihwokomaskustermann to search for that user.

And the website got me a great HD image.

Full image:

So the flag is : Eword{c0ngraAatulationZzZz_aNd_w3lCom3_to_Eword_Team_!}
___

## Secret Array

**Category:** Misc
**Points:** 283
**Author:** KOOLI
**Description:**

> nc secretarray.fword.wtf 1337

**Hint:**

>(no hint)

### Write-up

When we execute that command we will get the following output:


[x] Opening connection to secretarray.fword.wtf on port 1337
[x] Opening connection to secretarray.fword.wtf on port 1337: Trying 3.208.42.57
[+] Opening connection to secretarray.fword.wtf on port 1337: Done

I have a 1337 long array of secret positive integers. The only information I can provide is the sum of two elements. You can ask for that sum up to 1337 times by specifing two different indices in the array.

[!] - Your request should be in this format : "i j". In this case, I'll respond by arr[i]+arr[j]

[!] - Once you figure out my secret array, you should send a request in this format: "DONE arr[0] arr[1] ... arr[1336]"

[*] - Note 1: If you guessed my array before 1337 requests, you can directly send your DONE request.
[*] - Note 2: The DONE request doesn't count in the 1337 requests you are permitted to do.
[*] - Note 3: Once you submit a DONE request, the program will verify your array, give you the flag if it's a correct guess, then automatically exit.

START:


The first thing I thought about was to find how much requests do we need to send to the service to be able to solve the problem and then we need to find how we can do this with coding.

For the problem resolution, I though about an array of 4 elements "a0 a1 a2 a3".

To get the values of each element using sum, we need 4 operations as follow:


a0 + a1 = x1
a1 + a2 = x2
a2 + a3 = x3
a3 + a0 = x4


Where x1, x2, x3, x4 are known since the service is returning the sum value of the 2 indexes's values.

I tried to solve this issue as a system of 4 equations using substitution but I failed since I found 2 unknown elements instead of 1. But hopefully my friend Likkrid gave me a better solution which is solving this system using subtraction and it was successful to identify the 4 element's values.

Now, coming to the implementation of this solution, also my friend Likkrid recommended me the usage of Z3Py Python's library to solve the system of 1337 equations after retrieving the 1337 sums from a0 + a1 = x1 until a1336 + a0 = x1337.

python
#!/usr/bin/python

from pwn import *
import z3
import time

r = remote('secretarray.fword.wtf', 1337)
s=z3.Solver()
print r.recv(1024).decode()
for i in range(0,1337):
print i
if i<1336:
#print "send",str(i)+" "+str(i+1)
r.send(str(i)+" "+str(i+1)+"\n")
time.sleep(0.3)
result=r.recv(1024).strip()
exec("a"+str(i)+" = z3.Int('a"+str(i)+"')")
exec("a"+str(i+1)+" = z3.Int('a"+str(i+1)+"')")
#print "a"+str(i)+"+a"+str(i+1)+"=="+(result if result else "0")
else:
#print "send",str(i)+" 0"
r.send(str(i)+" 0\n")
result=r.recv(1024).strip()
exec("a"+str(i)+" = z3.Int('a"+str(i)+"')")
#print "a"+str(i)+"+a0=="+(result if result else "0")

s.check()
#print s
model=s.model()
results="DONE"
#print "model",s.model()
for i in range(0,1337):
for j in model:
if str(j)=="a"+str(i):
#print "a"+str(i),str(int(s.model()[j].as_string()))
results=results+" "+str(int(s.model()[j].as_string()))
break

print results.strip()
print "length of the solved system:",len(model)
print "length of the array's results:",(len(results.strip().split(" "))-1)
r.sendline(results.strip())
time.sleep(1)
print r.recv(1024)
time.sleep(1)
print r.recv(1024)


There was only one trick that took too much time for me since I was used to work with the socket module, when I switched to use the pwn library I though that I don't need to make a time.sleep() for some milliseconds between the send and the receive methods but I was wrong because I executed the script from my VPS and the execution was fast and then if I don't wait for few milliseconds, the response will be empty which is wrong because the sum of two values can't be empty.

Execution:


pip install z3
python resources/misc-283-secret_array/solver.py


Output:


[x] Opening connection to secretarray.fword.wtf on port 1337
[x] Opening connection to secretarray.fword.wtf on port 1337: Trying 3.208.42.57
[+] Opening connection to secretarray.fword.wtf on port 1337: Done

I have a 1337 long array of secret positive integers. The only information I can provide is the sum of two elements. You can ask for that sum up to 1337 times by specifing two different indices in the array.

[!] - Your request should be in this format : "i j". In this case, I'll respond by arr[i]+arr[j]

[!] - Once you figure out my secret array, you should send a request in this format: "DONE arr[0] arr[1] ... arr[1336]"

[*] - Note 1: If you guessed my array before 1337 requests, you can directly send your DONE request.
[*] - Note 2: The DONE request doesn't count in the 1337 requests you are permitted to do.
[*] - Note 3: Once you submit a DONE request, the program will verify your array, give you the flag if it's a correct guess, then automatically exit.

START:

DONE 882074565321339936426015270379 237041015714489603612749676508 735942283250970902894619135353 769570036365545998247560462307 358093366869922753604064191300 846812717969782586805050398135 771379174273997375923375988136 845526135789468431659086245474 477791916351688485715808163421 930800022720554491827637381853 999680091758310368643053583247 185945425567046216916616774069 548193655183144633560074943563 163752110560858844552559735982 809842278452854024213944401092 63126344576603515440990266173 536350367473602539710322449253 525462551993088197896204616527 26019307559619217233165889413 678246541222209847683426708404 167054566499878283767854112298 916863491983612669627714467522 866512119618168022431575287281 770282663120238719909449412558 17698011785127051934722174676 506436276178844828479355460241 364507445837389480829388693850 478243457358118782184551240191 362975449994850307878734077277 79416040862228597622670674493 699077959961321297097958555541 130680171721974811938831602523 722515733623057407531977068408 107110915537337340060758847050 871110456327373561058599133909 611700338371288519255305243723 112673304125406355771774003309 762357586707245483109415383542 473037716896162891865834111648 740988990443440669824613608664 132974380384295544030922942914 346655317633097728910436731104 614175703481719543947471337448 940327256050181059304565050028 92945322674000115891190969652 756956538466667341515036830304 977968684457121762228769933357 598942068709425688550258832779 324906743907409720909632527601 909377161189362510289040596381 593442764175779833425616880670 561516492415921938020525334341 299753763953982600112038009288 197202020200224694235915672845 37794227392414548309250547977 281027881570422623221283625822 799204368907457904727116559248 715428685855001604030787325645 309449422141621428318215223454 779861727503038071427138491191 230630241891245494630102199976 9049080132892488645574763422 786762453386287856472273846665 137406037157133043239611688883 20606080079886400695926357980 245704360276954038844187049304 870060495514516021913656893390 23711649930267301953002833227 15146234530688915354465779120 784033228523360932665461050985 525663655528622966895903291219 735720010825870999545754698182 663628090426701416674734890108 231213426431837202297904989686 574474566254277532593467631978 147760154293231354460616307022 779463211304504768763058308303 358278203715081519291038945407 690900470125900874134982420824 360227322793207510680155995875 75626201259944285890515565594 352227225391609904808105369750 889193632575223501918704357215 636693937516749154224395512837 929500197143037739640552780232 663125933879941881254576706629 413304999967703502424900531016 12674223596718597694665950065 761806833398894646264007517420 901620716015040828929833251351 596609085381390488916121739221 404117177117358956051088469569 442277095587940566778957456053 711195129211421090319170639033 661070597294240268108436600024 560776605422989669778330340778 921863821952599550875163391266 501071025255475912463069886218 741268068608066429391112635658 271680956800062103951466080371 170543409803392787532610044875 349776994728197266568909602360 101558163352961908059302821718 260081878735406084149791214978 747086420691884496837355010918 896296059949583610412209741291 776125233384040960568493213959 765591914359168607635148952912 74527033289427337623992082950 506167902477188174071208816115 239210609274108207188656331673 380930700105619664041730398824 595963441161495004784588705310 472449500188348279910233004936 361452474913059861704589239145 915160587114220764447441635142 786182292917359611863152542303 264376613422987785074755907835 73208397659556070503899103365 106594326878044346846927279856 701354413189370330333099046309 370591885433929465487683764558 422668955716877102385603924510 803428879717101932205708317726 892767291654743125930490112597 878212722103438105894943192207 533785786536991997239498347350 944018836070990418850884498677 694326295420233743222093008910 40829147470262061587372569449 913458362455422093531071373461 795836219577347468620139511482 524416440577527636671305784023 109819250065181336951008850938 620366324066455533770755106594 2721020077622100008496100257 277497908108811698133479598491 742984135426966116422119670077 337425526373236927993315431845 555102733701274509976227535707 668298530033085022141015313309 662055599077046033536966711386 135309183632745031684104642450 972453781103825874008459622241 612804835719258681662372730548 454158293166550313372060454801 941006086282862862671333493925 765189603287334258217210454761 193534941282080450357077354914 961474163455514118084538199454 171243150147741508912998672429 680867263974583805521538995250 948863536679404720952170022659 430192637646667678646932122590 83599565913710171732209075782 925410496897547253466556067082 377995377494476651837961123246 331587634958402792232577707032 32259457025549954495337813820 901782766950315214479883731872 992908439613461225607372439509 539565709642645621691030613870 270944060820513347010243740891 537362213386007651781664702860 368476043853879217479794810758 477744488909380102676271609128 72900773687910500130142340794 504184297393188903844879611894 99003636733624281226157550568 655247345611987883314641285035 592553135112567942070304354036 546142479226747746618655732181 60051283931300835006908742869 63425988975323372138165939442 857809618699975493655689513041 734977802096275650555788465636 209926557749531017462523538814 989585500784090277122278071901 81109532860099117363317294146 182279532865311595851941008788 608054597291272381639584804996 633037856047440324859742191949 119491094915724597071423943906 360965668016555421060094928040 944511867962582212190725313219 492251106511659186630885801972 602144067462953257906809761003 83855839872669873354544725869 920560392374121149844109207016 63596510248974809578664885977 553306691686457054652070867148 5902138911655061839992230129 912426643581685395635076025380 614941160097584231223468547093 379729804546502365275477269287 170533941293879347251462060932 255114956006295041571947746758 706987725331078840468282145748 226624322442974706334730175668 135081764185379181848425298119 521600751716798265763848101359 85486279402035747886743523711 620262816837414987562396533902 691409544760893237168877440432 270617312355809117003523361114 215300411675898421154498541670 383105170204288945181482257181 19965361540054599703146774623 144132448474912286418219707983 107205571493550462860605886147 568684141425303405724528546177 815630824480480101681988396571 84266721016587862923094414752 802114370280508328503473995 616836100514059029894739495855 901441123431275316909128396207 218062530975408211061410703606 834343882925037238301189637986 263264015323955073206447837377 731298241454457960764276323948 831170403738577883434705377336 147582802673743513813057047388 884028957102228121942176754425 906852806866634486251688741234 897555964028221965069927627842 625242888806880679266110685886 152705725794066131150480413776 396268848857585314604441797856 64281372253952185259405878905 438248399503896415085235113032 369501892125242212838098736311 219692641004051988412782565173 877230258671577879835079806111 169788631198732654293925779828 468076781362219079410901425795 205610955440285307008985340752 903943987873477248783729926539 853278189067903084757216248292 22755119358574003976687226195 24626084753452064203348498785 710850972025135575832144446799 15702600274866407783282046803 208753196690212826903865243611 775436963511684575990621880626 222979593832142261474389509283 223111122994020966786101066347 784974746513956060485334711506 70694839132622986411649306291 406330169296510065216818104633 16614422003959561718027582200 728627151036508864014644452487 776592078902677275552441558644 866844836475989232869612971370 117420015219120466082973058732 252919619318809948923774406389 510676641680892241383638309707 360926686880929579675601781594 366454025430268170258598396578 114260652282102308535601714769 276927466834376587548979614045 949946193368962898100949258688 371288124374729177447373168833 912587532228152544925281096324 958458886704815456770975888652 19468994273487605026726983266 51520627844802078595787196523 823025816716503958331059186135 505114365598537399222577229281 229929711120613832763779809940 490557247777117212996336255644 36386588267817055291387861605 12111605139275715067959168618 134525578498923587853088358413 594230315443966492177268463441 159731518253410541113980209825 557994110351413804352150332491 669781637012936972192754374638 408173336637771837554798837899 449245249765868765080781967499 701784878032699685313231813955 426642361529764477975735170798 926693861952669632246836789476 76871371886162758011525861774 9156215663999546537908515911 135966023036495656221517757891 850002422722810515537291217127 762888558818506818570053328594 439313879271455021967193296378 913780739083705172747896182706 487249890388332742909000406975 913243926089076781359716619079 491582469684269151816383351347 190959720464678429880547174979 36603092708484254509582380060 538966304982859028291213079152 268581737245026014574430535567 635364424463299405765151847777 689015237759163673832102138476 511355914826810710807952471790 418563957526215869604417557570 23953215025564074768743276141 202849934263397705069366565712 403837670357601324723527086628 529857758534934481621825833659 965880355357433881738978677918 365864830291190874493408758730 706685946309248516090071085053 562005397059566769959415759117 149080883398816652532724316682 168580609967151492402164519514 923680390883242220891205330126 597271686440889359706560294029 405554661987701997450629167680 215396604713296533095284173564 917152510939899901586912678600 999149295633599338527248714496 909831408446935488554853587163 245960879197393751030843858932 571540430998891787362267889936 689292098192284812377651546780 784214688543949407995276235852 616883954594964898435060660013 108044562401804220249664753128 242714272317001876355486824494 512988256349129373310506540151 704313048793331453799683157439 151977830741832242552431529417 747480610991245791813730971634 142305162115074004370784809304 961280962873297677892498870827 692394936449605243557401049413 687990647816950269402507539908 429122811383766585345270722965 120322027757606873403415432705 499278224248204476585086077939 502003419815924997296723252536 613362416202078245570508872836 305008977908730525354560982669 250978812680462571546917032617 470340012821916747620696985178 895667031044339278843549283282 817337263285526139529593510708 360561797997921474663791673985 973713949651956702509773774379 409242140026160509168973511706 159119414152063186942721755859 846802352247260850397229697977 306744393276652705388057233739 168718406359273772685165319830 504525698279846678412777791009 151405506933991905303745222307 781111194408175270515025826351 460380102469373033308452070893 672584317935459437359318197032 44965412533591137727466949946 606939738102580158750032492649 178017496345486206796623019978 32334617194884600769428831181 604892314377204843778664942570 643969184867803523455474784471 664485785186279562878653145862 27901427742904702129168300771 303391462802351949783512995461 578781027713376662478520055579 209991984660383277819892522797 675271399059485221248992387433 515383086009051113635339129541 87047652565533020660516590 951663244660919363647824443572 218191936479225136431320682855 249742377243809346559730709368 308356397679368298616350864867 766709422382477164831283344608 740798328993015055033719261357 154087368935940071609677266021 634379845699163454548390314069 669035700140095235921566751003 411385463804069289902619563778 479647605490898324435649410713 729703833008489685344237736613 294334431184068572360551409805 854981777308160530251939084584 567373006643466376686239550079 47738175183257490170241075196 155261546350167890331537874779 419713677590846499218321419598 717025971655171432351646863557 454240174012416334309150243227 301362699923503106089331968710 784349376976143317779408375936 160876840778762965084731708149 923774515251843094816083730090 712041994976932868394953192022 962493209351484173546357747046 36112453292757308192267662890 32813057768973453969345806777 734385337969464972971969544538 233389844083843749514083092156 351706485517997500144008086615 185190820318800885718315033831 338885471494485807424671486790 448183122455608031778205038943 776977003416320582661200514105 206154126092086213720342120813 304666081737476678808674595901 961124157962623890857242371210 867575943708058140820318014883 519736441361430560747038210877 685899879365117013731805398445 143602878346648118540994256505 180250333005208769314743841587 847472787276580124999047369163 508027616287022072980083148840 311058954318835620355481855187 181777004497854398549779360531 949551863513192565119044191242 59783814008573632339574304941 823702212698564666881183188651 787951325047625659716984462484 146204880187346605278988582134 987058308715309303131651725666 727962714721709301411477346686 366516177595747609068004300511 594684225799681345651296607968 121868240075520259840317047168 547926314596697740439746439505 734713104086964430420895050839 911946445607472039229909909370 285614552583114904698857854377 334325126350509656678103832516 730497584433949321965625896319 553363278079493630470332465060 187973023248583996048020179001 673234152258474862425288271623 608752568012245512612578518995 859733558189501962707363992649 119396444804985995361657225164 128942640760217322971278046815 942503310654227355870858961740 792119224206779180648355032335 760544258410258431365235315348 612196266873927914414381839913 95822054277023074035428062786 778075999266652436236432817594 782733718832945889040704663531 357183429950351414180384994219 785180130016389884738126621270 199216277578083142404561427750 94999142181354046588196674331 129940019038486658430459956619 367010568820135867053732508500 897533806187229128228715302505 220700018367048802837049191087 275027379247406874370974674263 181062359581096349280614021393 230277312796551922472514836539 570717777889432565552111018891 833052138873954030952320479748 629717110800349199119421243004 542833285963597302481619031563 90260588027447851084227195016 23192159000660825793644376619 733283006491496397412969409483 526063765891316530652642019467 252198818338837985430928488263 189313756726326950572089282920 961884019779801892177976397331 870841237266236379406392513747 780470855334732170644652234980 200173340024754767385091596726 811609277402037434124124852084 365541706561275636959976621174 219746548701891997382413799863 403225342656880268587779976058 75867310435851849183383680151 99540093628315675858906537995 252963212693395030661449592855 473367313447339170502887645310 630671564777749234830160983905 396814941898219875238889545181 629852498021628052238870646804 48051587963619622745852471626 949725726322022866436213983943 737762822930589677110722296467 149736448600744680417647835868 860846548761405487330447562799 247597942110952294803830809264 545877723096429049710094569772 408119419348804859049572056603 582961799435060319813341900667 319122315366136098316028109052 23863071936405825619208514564 393331885834633364827570182344 554514217553732516460690066695 491727530097873308960779319783 434802878438020161600404836144 224363116283985120714037868244 629450052265553386970914199311 796236193329235361731669850445 326169118446021072456430494492 463996884889569011178625343119 882190625810394190783183730015 844218100737289434194862081309 439323640418876531081793599386 634021016893978523345072267298 379301950011474937115413828636 703154341175891054005878562250 640145117381327296405439858460 672077317539642052964018072958 555860410232908784891390524653 3674883873039551892650347338 457386847149638857980514513000 253675411611664306536114228616 886451438689806631788780040806 498649130361445651819578661798 770485653418339391200358880864 8396916193438313538247186055 914102947789038142445844322072 377154942926181564851291965746 664046436228048281696861519136 69362976731452953193674492277 171110914330687127704465468891 283358036230922272485813336915 559881272480361221633464753663 286833815237911848534350536412 544266719628455450780029553297 800284408838648497821358398993 205601792377489303528165190595 919069224237875715306060104708 208556917860058868400159367679 94881720692038888678583623946 602036987892191775603799802515 901696693149810492550134048933 399013760284157462067240979763 475829302096434325075385490589 108643025189131476821747763237 413637164512779730302132138428 979805346299416400489384882207 450178475446032430875295262481 563103742423401393531199070052 515583026873012435994006295955 574210866443679944575215127929 790554522637507562382629055586 108635453426355108587900120685 415355589413762228486762512360 506221248159584212496138216048 627117019269342349175119148544 816938574954253167561433054243 975182254283938642225956165337 936215376222004741369827056595 12045923394976544087570743311 560751947468869521491314585213 951428210843690028144295375934 733396955068709826908824765053 91207399755790316580150060243 428395084927961813589587411243 280140196423725347660316851092 7764413465777182360416635595 568368417827464038563174394732 876950830255741084273922209683 832034384790192569032638895125 134482440785625290782804921562 775311730593728384250405321043 226730993789457045974567978248 883285679302168534515833301884 440203058155569609025711123011 255575471008846393340173544907 538276440327327208898503724441 697229858130863841794929976300 382201052794614696534281203268 903400798434336911469537815101 926124266893051496231048822670 625536882575739471947115310997 856595388244574345340209307242 526081117065762336461876526616 154152004791524296540503374543 941340680379073842880272900580 718976141219478409820264204235 803068257759470447972931997125 672529571735471761361078250750 907085018056981806472629791734 174475688391319985923224108469 526896330536312934405524849692 134060940417382885064465508343 854525123583269837501817278847 190057497880368942417361788400 202112133979173910451021884445 729704548700655807082184535208 885493714259894693266954075888 239084680432879346080256303730 294681533491318563732069437958 785848899363695218655509600006 800736597971807392048586461335 503241227103265808761243091867 422662548308511023094642404219 271335054706646726695925102948 262113494499702270134589124792 615363824160380536279590315517 376760235014609536118696866464 530230931775344709687455936337 446739640995597223390355642433 973208250703876230707198850261 494678163711804098614634209601 283645347949614875670569528743 258948328858596401143508587671 7403414311825748251652834377 341814063988914617501836027335 101477324946051790053553861901 873209636494681389726940304498 742241684896488812868433677688 74803719910841631202616429707 245998313552121009642206162174 342760648730849330110180583862 339835203863302714990350683532 731464879946714444923745428967 926969500924298270055791368371 221958054119625243268200493827 117832994565055949267950864797 452998032405516627267321343545 870686061962342231820804424082 495012719964778658173132480058 429823395805441480331694057137 914903018626537893266587718808 751873416686561236655151519963 539128770487044024887403684748 744740695972043825969845455422 479073025597805967345241822037 152469639386273991967102013960 410969435690117297898647433580 204776094664802369782809534455 306913452245702894489674995880 811107209725138151759490859560 349002610573632341821972238910 129069989136991651880387872675 495098080367708330477911879262 334958252546652526552724130010 228777547625440408327482442209 236258602910446234761743153288 806825663237067201651825514126 313158926057984818559194748408 39348745324408484813558681641 38224854357218287986011661365 579020045894444211854273595118 477809720369932635071249356702 769442571885243524094299451746 326024396320630470481537780185 434206380937673423350180801119 621991327357101022009603314118 217734581267058549288718918522 902253881410569499379757475570 804054632975509219140304668596 647752317168659044398611692386 842471214449366871917748442083 330935718849694536545536810072 255541402812609277460483949947 446284147977039123917461585916 612184046096738907945074041808 211344513390015512416402309883 444506998590022560888748865240 668201208151616442120837124320 803246469581702116320669782225 692372670194282161204251760283 251873339046458378262801108136 174052363895678947596081184011 713058658155685838431111642293 454117528072008192440349731878 597430594756635311278974955015 796600256917568631593228900163 635467810899140355384911439002 266874945974908085039937671923 690610987863865284789398993286 448062895287320163869864051106 248035548586696963010071347359 861736594043838676397784294638 826079498818159402559164015429 984354710995590332205876426811 444114561052893875301912892194 125151393933773792876275798517 151803764638282077058326066959 975135279558951442799594037854 486680683698248467332636335297 313509495301614004484314564333 750119125756274077175068819796 874087961977540179579888235894 526363095745230376511477170756 224072590305787099815286418864 569179966010982375351761621428 707610270421631242480611488066 457131092569049240229225956280 244044888382206185104217767750 269837792246198163481626795201 734600614849203716180336096541 75546227938386009995459418275 38344562561103840422720606731 491660557547798962901895740965 190054822251623755497500997846 869978394312453246665326176224 803024094499372652678234728888 239209514107101941897901544245 321125355990097029710924243098 473452330524666872514260297494 716065629718903402486317505460 795583938968219394499339809609 48940524335244835585175989201 333603833764418905451166979036 229573041582163991608795307609 10661062807278053569596136841 100756911237662332130244479682 902329950404593708080646564067 522896995568976812152854141574 72319815594325306342313449553 30967726889627860299123087418 835824353436807068566825436434 45515261330126179867666992816 986113491967262321090923428639 878794869053226430154915090827 33022372422400507190555585764 506517644690508756764464573552 329767250136254053339793867645 528911914719425669430587377055 778753315222479471088156437422 379711207441111110217498453322 688411878085153747072172578194 366933875816713640238496812513 785678675659460648383264876995 236803962370593095146871664796 301871710292815341755817992170 436190732741257573184323219088 512291359652628273182451840587 921962196082579197108282398458 429838966867419996086093241837 700828933016642147832837501120 117089872731793396783753915921 43261182324241473210258584959 2114297652250211217352465053 254671369963642731819067748765 944963200938948898944093301362 394371772418905900530799145622 182374185200591070549563371147 588751728551046942440622586243 912616771928491428874196001653 634987912664641906015642908581 861948962910776212049676988485 753108122866704017493961168775 647957729592831268810257680506 626882611280235563095324219673 894692371780618542506671701067 743923134822643007677152097303 266891203812825800508465061214 953439970048174737222035081654 645030946636821841069158612420 210490283041368932534690261833 271820290035251834596914386509 602983424200719029522260295855 71484467856700843060119951399 372191674877526291405116226644 705813826628847088357491461175 830744128183210112197279095976 127158380316090958991820366797 961231589515640029972965367533 350474355508756920284738667038 209959113734335858869961872740 258336353660984806251574081034 298281148689340090425674807686 574105305017360008036879305959 188948994811071144310166262822 460606975792276355862979837103 407353072804538739453849146272 791380900363125125115288050257 34794394278953310262068929637 23810321979063689101336453630 596287239794327436013186917210 10336141239649182281665938425 229000720161258810727411018480 960766232119545766567391967139 393201115382495717100436878295 856107929917270799903457285068 158437316604317657831712488011 421121554751193887381198048375 730512832439497420667998450896 636772163318128744288721866072 741055707164752653517316520251 406661758546806708228992353320 831528960917402857557631727306 682050016764847562097297871608 30501939932249697379165862472 80607650834812147355268501759 618454634772912199361123313742 957656806132679222362298467932 960821635226404806666774201534 310302106555675280765219804214 541374472704959455568583304050 193239696606310253641045670495 145727807405611120489845298952 566699660269957394018496714439 768245011393349294917187377076 828126391372987021742480822328 624583894463288485778821691074 620023564006080696925029606231 604872177381991477387458672935 838810062678030776004745728816 78880172492288496637569993213 541878331894118887436761197135 424459588199955701059978096324 628432511486704080515653810030 143626167433298992954962795061 787942160848641421599196160720 588467740575322597026725516836 271462016130230273523928440493 790717441732625780094180232607 227169216599628537259005983346 617364100832216730132822515388 520428261131524300652803797246 236841718397821120926806470801 394469196469082014889811117466 601872381738016659074754073973 331807417538144691602332947809 948817053196727851179788046797 704874592083476061186302360920 853350120058351954548165014415 592077080677776788692644936058 459625258171633468609650361849 479149677254193841334607335853 793168347442067768628249024888 548056216375107818721340960510 928925288798893128479461448087 555996111544678060448592695749 797054329117457658440843681955 74824818868739288995505437611 792556553214586040203174860840 661817928843191505543254057689 280157166486280425518061192672 713347302485638652438089282875 280995660766356320341632368600 109360751229469594521546429312 414574520793952907856003089617 75220827073208375153516213759 984785002293377211999927841551 809769257735568078793319182217 658807156588091645575948689777 500422781915887559796925009376 621875285035329918710806000744 966250178017183798423260690777 312307881662974450475674920071 485352884251637070495280098674 477709079525808766422788108544 650155780698178840816997408534 756659438264815770469087737874 5312075485871583465970535699 663758026536018155912850318207 553831006792871820610551831208 474334770787756700968378298588 624231988931266236885733234314 229663071659395247812427457464 434431253597939710659981625127 364998453894888037143171493884 426795479568457394933776978646 594082589811973647583792317152 344497184761863896134031003666 885666140788664458440574737783 528121134783977809697577924822 261588458380461398581042095966 700313239838829995251425903369 335703558338047917426886697524 778583759158830195266811478337 440215496468808476617399023360 90938500231900437502183927376 272533586337620908308471704940 200726173143737097339746362339 160335178596034984440772475308 473857652854022449338504186187 512780834709602853072938886929 813762453838053763099984163808 451679117832413363848470080864 33385223803290993637970839770 56488302063800807520851347527 712603714290249502166443211291 709035312042023445733541751668 43952646773978067663416816637 41026526958820500041638657796 616497061464249764842106124730 739635013382709321768603409360 53676706796615125013603568642 895803888897323443038264487441 80680279144751301042549508004 747875082183732662991248462580 250278564761585781648717431949 433244365197507912933199332068 628627535557936285241485635936 309598485427548006113922529433 265132948713549573819196563354 910351297901089490608637537529 265206876915048067696231577025 956626736991434169707395252984 833366295486280587232422656140 616672022966778604225219946459 444879421483880958674557699157 579629800133462633907804360918 247397854671953052159378228517 19101511314212991754677428399 467025279311986704048271531715 647481493817914721822553021589 468843657031619440970022944708 144827625112452546049513008527 82283947382012483517682856159 145259002854960888222273732903 127119587761333168427184157389 442189294043903388031786316220 156143973664294939294573009989 299877854746990667577796560126 863397020538054679129605649473 441695467007277212360300129813 904832682889750218933586927067 743682276687721131177556416860 751104004901908844621449132308 794712205881603469163375435353 74520223374759511502339389559 586453707990190414460366522073 181840054808134396683909456954 837722882858934831164298476459 295979962198129577422512456975 595361308006281993055227138703 478681374067887962133610984746 619001549554278581866600130497 431378064357407174675892426051 577864590577506966334233820334 188056003424515816381581841034 549683738609156725496112905517 709489264544588869112826298359 989991902139363019442367655102 222326909835526769206085664370 625049040222532044153375321611 821093971067302507373545203199 436873838923758180133130043191 762625850333468644391435681387 874601124439039132986453969957 637915651002381284829691915029 339253793027261231370630601651 597100008208514971298629531848 581824167143868357945102394882 718529205565161363142720230731 733036323140176206291618064550 694821639051283881757391484493 71761405863130616797257193009 338455761362816318600129232511 1149141466717438074181037351 668681997068864696111142948566 186405780872946243056594961740 259189017421094165697072567997 994462959421316242328158936038 323609077909895180349173706600 975769887211827997130027975007 518954884831724670483928564730 162376268889467683579673599724 931357953662585447128626202485 973558261782136979934734677771 61113452403584640246022748270 985406236698640655008448964763 623999851226106955865346496988 904520782099291875257033576850 897605221240442875570058361841 580374098890840999628094486124 664639171063338623739456098825 125673638396995753897859100927 139193420355928432464437835515 183996945725226868515731885132 676127592171768324659342891638 80852646519320852087743601516 433991759704211446042168041568 907785388928085397023297233380 642355469015816387733108890286 659372584040289652234844406902 647911677770896898469732968387 289051542941550025977517077157 545410792992259542545602723395 71212507210613199392423857134 666000356091661247804590518165 645932970855937692703231527655 745561270469557796791155031267 415074420558935775061845076769 141107367931177025150510441237 93000656845553934731403661271 186813764181943096876747143051 133146521368599732093734500389 585241557756797173019109911465 469407156492653146991935598092 791015898451864666355491328552 83925538816886670110326458849 49687266134836169780733364056 963621554919826903743385860259 942293265267140727188960006027 461572933856718425796665022217 182765497434965370848495043771 69341120170496414926590920278 964514640341996107125538254984 793434038063672789531576011409 619017551782483457277511220995 39538289370110739390950529843 484253058984936042802675457628 463918361537554560585958796619 197808127804695059793380422417 255235853141263187157407692971 38840352033823022893030370325 845930229403219677054408021545 432597245425311078172125965690 743281766944624803594487060707 92453212082185021508206943434 182102682347638255765996904371 140358011107589758395839334567 97086290178784125904533048648 975958681057212284352201495679 415082947051064002328442818339 361591027190181251994719671162 948592575971522096599306291515 684365122806926247690779325939 607878852992238641665876067952 495914865693781792189036962350 33470606317705179263858960790 735376290192994432552658470389 844167707062942544160353564809 418249035485234279942901809078 506130953430430783422824547864 911672243839189577835982823508 348687961531948028141988185601 203385794675892949992233841600 115846937306304049009006293430 499609528236558112173469391107 789376173037767519057169300187 875812666544237262618779257629 33880924953666619743074438456 843314938025914933451669709497 332359127338513236263644107199 125635428355194456833346476620 418274858611156411670866683817 258745825865914182162548261818 529270327857690427566141494370 44667872560451208838506369426 926842705044524756102920882609 803615529280199077893178417231 203720756002271947432204921932 97694301671191448185396785382 424168636677848703882857044741 581579831466235137062350884689 926847891979576741933489640768 197961038344190331553778900379 516229241085718130336692206072 490350411776836629523108034693 785930103596392821218226352229 415100947067374160756551437993 387095770296338597026224465730 531093823703056752125858476862 914090181569351111419190421464 971453663166665503530700635303 469965147013275422705346110728 607222232470737227978543123676 223377658447155846291594168485 439054813599407073271320396804 828933794924147234600880466852 311611573598514519975009539049 100352584123492895536067012322 619972813896780548929856235675 253160936061289481247511622114 480864939756692158186262943446 593093394871126685486160051549 341494908297578430415857014960 339937808480101515858816884268 7176229172145552773097169989 220101137932180494601661798565 149139074682453687483441139684 61297239015935132911749393081 232750450967473470910147532864 835223374873512462517350691482 587821698873742832090207613143 894498799982340838593726593470 513701019422987803807465894587 777696047708232853251391482499 716634197610828945641579874 787296257674756202043512216456 49872288836461085621291527938 673741266405357536779246491162 758081737641224033693146559396 375431882190740915961806945932 519271035152186221450275185823 694263869772263022656347967096 191368376188844063826334778861 624148999928565088735859956618 785562367575338995384230254776 395220646243350709345484114302 403682387411235634582121434290 576434251868797452403950349783 703032451392383902132017788908 961891545933964101140380972456 88544524529448397134468570574 931683089214676187100249668561 859257003554736319884344604125 318670843065117311348571839394 388787955729834468672217594092 124350318593524934401499516768 258380638069151648673217169933 329605318988522579346623011328 815519869474706439392097534383 812973196023737776567489141788 753895071359776760661774156253 206980619318038480953192275047 52619258807880501778241106747 543251277640354938170875132147 381791279068260520133641962682 839757903556121307311419613875 470891017207805017049729261560 626143813400178485881684168568 774330361267867932492037219018 375374691598202203729424245251 517417872575990093656839545412 210251539050389035755891870009 168889336954226399781027900690 19162921022344917058423472956 12878700214066195848109540778 711646232599145125873657036506 76592144156187054280718816034 496033642801614373265869777790 773251696225957722070899601906 934831439881947493423477722653 257939986751429859497810191864 196503649167560589875806912339 55643444442514199655407428447 409855758253477671266626620603 916320513352159506842740884559 522879152761785577046807598922 638531585780204047547724698942 772759593325169178043405347508 673009041322422721959583804631 585794073262022013065699445501 9550150051987354349177926310 850921312657797948275249204550 752318933694846523225015966025 690795240142103350210406384340 582091307159015942057863931401 787104654618120410593808753644 496935928307373351598993996277 666293985721526019539616718207 330744374737492867014945700446 568065423110722910178446369549 983417988189946570800447698106 243362257813902537047000679946 252262983591055154199491484145 185001108068853879108295916394 928214067606913949239186879027 235328501045121408752054461078 382112318367393656792681687038 825365919015703337876399426602 758444451488171066010074431627 903099166925261938090135685743 822375043495619761944861519972 663938619063978495874534834345 40184497331922613496528896982 96651341380806265055474742874 569211944761523188530335729078 971491789720261837699473149857 254033039225053644540777318794 371156987971994144222102427298 552233116200014493678918980023 295459004571278043471775113460 950978351365370226190276337993 981972113953125635095554684819 613392171688095343155266810068 988275256454056707386297496228 919910555715929711990294816395 331680416523012150626813995335 963232569635654894073660210351 378461391306022088434725883167 316219840943194091938654131212 157512800707788303899932151960 793462598722149854189459084942 256099570333236145647875306720 238058337137510317129380168362 242947508893064843775147012487 355320875075702456560544935910 471720331065228718591151571789 856169934005128050600519143797 762370916267869447841214329775 993497962482866211028442298733 518561856792546361582760006136 934075525612376978469662883465 160688877960374040067371985843 973542555968500011203270234868 88513080626526601524818265680 833399114577064164200268563963 232543573511967780353703533171 455181386149195687299712226144 308446550861526289691728628362 99683459694801711581944899388 222369143008725108925087195114 226219048896373494184984854648 817515322505071092635037120986 899693382866294023980688240950 731109737363403999778146313080 11585470531432868034409927654 136721108925187832179663343748 218878454138049014632641644208 45104610801363569584573818024 851638154958299987223574979535 935787731071096314044356630936 199344643203186247839062040378 350298114459809030350407362547 651368717836769007386669135246 13028300112227873068369382521 649389926758277386390477590247 716694316274712481603063809528 767497805573565697452081904246 859594127311603453471419870328 276718585843138550045242482694 270621350223690805039458346945 882851846997715676030915445671 147005932316573640625222262011 962516221675048249633600651629 142999206798927755202714417658 338200118833517293913753254916 353098332975450794695193115 639478587546889035706931903789 366145572990290817504253243808 236859816134096904531980956369 620301594115009808900583045657 564535132847643655642550460388 811156700605859198651865779342 108904490543477846116268259176 274369000018543911083971966870 211342207540341813623129073575 836568815727517896518486764181 884348990498573834839211617570 593425938551729097391923014648 411037282463745057638164724823 600542128338055767718737414543 619640229138641535067155175976 731138028985627775699092095137 246193990179001270376162138712 208483119190770132573196314847 60591061497789870188479749934 436255610130837936459965578659 219743496983603140147945414467 744434158934620122833172608058 297791851944965194060885237858 848171872645101850536943202147 691230917428178059150656826222 331920949616804993977431744890 188990626823473771669970835999 853999549222615574184160676988 426581830899883056330939694164 545850379624256644845417041609 206898714949998847882049316749 600922036266170588860811406626 445002578839372149073202934779 755505079281341703455242086034 554606046321292646018328308518 491410644121221167022973999466 886696421014164059657453156938 576684874184284920761216930687 28114959744965733022489049473 659371544578249015018260378126 686436413399263391028400347672 771582766634625860183378734250 43329803301088231785420738668 789390880428603995835220996975 95843761289134737380026726699 607657307608983959987793684791 763121036629216863027308575507 695752976863908234000425941210 183999126076091342937557825072 186793675528356887821897344540 631935025165038205571818923602 383364014052929057642436213844 621462173523727407826051431420 700856283608651796441558150148 679621261248938156795682471846 600889020839385789386043404419 703498046477358151065837099150 314309051704298644258317809945 967436130406043633721122296572 676212954323956018309058930527 4547530505855250748483917847 100983845147693432085059458528 339251519149008894109778821343 934807106956215360626560110582 594674598731630275002896465473 770757954082647400726968112798 830319874196252178510311404372 377307643453627105959902092172 206638680410448733374377548806 543720335249845648279763661454 575989636871937725494011151161 993996327375586192236148860884 577478486887548168530074351040 114525249759655970691246808929 212383832894687559057036388929 527304494711982532132925552980 575980820709482598803802344541 534140669749849341436494824420 498999534125566963963524431887 660323975112393443004221199345 136629325692913249617390911371 856225685842457891207581210261 382236217025931865524266457446 916981812634971935362102424803 650983817935982166075501250565 520076012018861617944862841325 568070785815492613119797767124 929426002688656730578655495848 388641364576174208975578118486 754288805782329904072629271858 7539529998150599043771503290 515315771436238056833360898841 635826131846738367904626878837 129977530055197841755264624480 770035583613709893150835726905 95291150541467317217156613056 896815536680583446585133872931 688305357073982731630616328867 820844341017741039208950587295 104243593710255300826694436541 770267178982348671718915014437 524817130634272459917249808264 881596592942006529423155080660 460809554977471557874987038531 552203073934971154805289618652 285558583844299518782868746962 771687664263005438473545038546 309699046605439403872809056495 87421934777919000650262780503 460648873139398989670353918314 303755726335676951211719118271 642134713029850585247460120104 994587367824415577394910764431 610301661262474430002645397045 581907927596193338287675038489 263071432306564437305700089331 1323602499525101762283093077 238040809388633067114571632443 750262249497683926277729712036
length of the solved system: 1337
length of the array's results: 1337



So, the flag is FwordCTF{it_s_all_about_the_math}
___

## Memory

**Category:** Forensics
**Points:** 73
**Author:** SemahBA & KOOLI
**Description:**

> File: [foren.7z](resources/forensics-73-memory/foren.7z)

**Hint:**

>(no hint)

### Write-up

In this task, we have a memory dump that we need to analyze in order to get the flag according to what the author needs.

Before starting this task, we have to extract the memory dump from the compressed file using 7z e foren.7z and we will work on the extracted file foren.raw.

The first thing that we need to do when analyzing an unknown memory dump is to identify its profile.


volatility -f foren.raw imageinfo


Output:


Volatility Foundation Volatility Framework 2.6
INFO : volatility.debug : Determining profile based on KDBG search...
Suggested Profile(s) : Win7SP1x64, Win7SP0x64, Win2008R2SP0x64, Win2008R2SP1x64_24000, Win2008R2SP1x64_23418, Win2008R2SP1x64, Win7SP1x64_24000, Win7SP1x64_23418
AS Layer1 : WindowsAMD64PagedMemory (Kernel AS)
PAE type : No PAE
DTB : 0x187000L
KDBG : 0xf80002c48120L
Number of Processors : 4
Image Type (Service Pack) : 1
KPCR for CPU 0 : 0xfffff80002c4a000L
KPCR for CPU 1 : 0xfffff88002f00000L
KPCR for CPU 2 : 0xfffff88002f7d000L
KPCR for CPU 3 : 0xfffff880009af000L
KUSER_SHARED_DATA : 0xfffff78000000000L
Image date and time : 2020-08-26 09:22:27 UTC+0000
Image local date and time : 2020-08-26 02:22:27 -0700


There was multiple suggested profiles but I picked one of them which is Win7SP0x64.

Personally, I followed this tutorial for the first part of this task to identify the hostname just to avoid taking the full credits for solving this task: [Volatility/Retrieve-hostname](https://www.aldeid.com/wiki/Volatility/Retrieve-hostname).

By following the previous tutorial, we need to list the hives of that memory dump in order to use the right offset to extract the hostname.


volatility -f foren.raw --profile=Win7SP0x64 hivelist


Output:

Volatility Foundation Volatility Framework 2.6
Virtual Physical Name
------------------ ------------------ ----
0xfffff8a000b0f410 0x000000002720d410 \??\C:\Windows\ServiceProfiles\LocalService\NTUSER.DAT
0xfffff8a000d00010 0x000000001ff75010 \??\C:\Windows\ServiceProfiles\NetworkService\NTUSER.DAT
0xfffff8a000f8b410 0x00000000175e8410 \??\C:\Windows\System32\config\COMPONENTS
0xfffff8a00145f010 0x0000000027d9b010 \SystemRoot\System32\Config\DEFAULT
0xfffff8a0014da410 0x00000000275c0410 \SystemRoot\System32\Config\SAM
0xfffff8a0033fe410 0x0000000069de6410 \??\C:\Users\SBA_AK\ntuser.dat
0xfffff8a0036e7010 0x0000000069188010 \??\C:\Users\SBA_AK\AppData\Local\Microsoft\Windows\UsrClass.dat
0xfffff8a0038fe280 0x0000000068390280 \??\C:\System Volume Information\Syscache.hve
0xfffff8a00000f010 0x000000002cfef010 [no name]
0xfffff8a000024010 0x000000002d07a010 \REGISTRY\MACHINE\SYSTEM
0xfffff8a000058010 0x000000002d3ae010 \REGISTRY\MACHINE\HARDWARE
0xfffff8a000846010 0x000000002a0e9010 \Device\HarddiskVolume1\Boot\BCD
0xfffff8a000873010 0x0000000013880010 \SystemRoot\System32\Config\SOFTWARE
0xfffff8a000ab8010 0x0000000027455010 \SystemRoot\System32\Config\SECURITY


As we can see the \REGISTRY\MACHINE\SYSTEM is located on 0xfffff8a000024010.

We will use the Virtual address offset as a reference to extract the registry key value that contains the machine hostname.


volatility -f foren.raw --profile=Win7SP0x64 printkey -o 0xfffff8a000024010 -K 'ControlSet001\Control\ComputerName\ComputerName'


Output:


Volatility Foundation Volatility Framework 2.6
Legend: (S) = Stable (V) = Volatile

----------------------------
Registry: \REGISTRY\MACHINE\SYSTEM
Key name: ComputerName (S)
Last updated: 2020-08-25 16:20:54 UTC+0000

Subkeys:

Values:
REG_SZ : (S) mnmsrvc
REG_SZ ComputerName : (S) FORENWARMUP


So, the hostname is FORENWARMUP.

But we still have 2 other parts to extract which are the username and his password.

And also for the next steps, I followed the following tutorial to do this: [Volatility/Retrieve-password](https://www.aldeid.com/wiki/Volatility/Retrieve-password)

And the missing step was obvious because the user's hashes are stored in the \SystemRoot\System32\Config\SAM file.


volatility -f foren.raw --profile=Win7SP0x64 hashdump -y 0xfffff8a000024010 -s 0xfffff8a0014da410


Output:


Volatility Foundation Volatility Framework 2.6


And that's how we get the usernames and their password's NTLM hash that need to be cracked.

The first time, I though the user that we are searching for is fwordCTF. So, I cracked his password using [https://crackstation.net/](https://crackstation.net/).

Input: a9fdfa038c4b75ebc76dc855dd74f0da

So, the password is password123.

But since the flag FwordCTF{FORENWARMUP_fwordCTF_password123} doesn't work, I double remembered that in the output of volatility -f foren.raw --profile=Win7SP0x64 hivelist, there was the only available user that is located under \??\C:\Users\ is SBA_AK which could be the real user that we are looking for because SBA and AK are the acronyms of the 2 authors of this task. And since both the users fwordCTF and SBA_AK have the same NTLM hash, I tried the following flag and it worked.

So, the flag is FwordCTF{FORENWARMUP_SBA_AK_password123}
___

## Memory 2

**Category:** Forensics
**Points:** 379
**Author:** Semah BA & KOOLI
**Description:**

> I had a secret conversation with my friend on internet. On which channel were we chatting?

> File: [foren.7z](resources/forensics-73-memory/foren.7z)

**Hint:**

>(no hint)

### Write-up

Following the initial setups of the previous task Memory, in this task we have to find the channel where the author had a secret chat conversation with his friend.

This reminded me to inspect the processes list and to check which process seems to be used for chatting (obviously a web browser) and then to retrieve the channel from there.

I found a useful tutorial for few commands that I needed to list the captured processes: [First steps to volatile memory analysis](https://medium.com/@zemelusa/first-steps-to-volatile-memory-analysis-dcbd4d2d56a1).

I tried the following command.


volatility -f foren.raw --profile=Win7SP0x64 pstree


Output:


Volatility Foundation Volatility Framework 2.6
Name Pid PPid Thds Hnds Time
-------------------------------------------------- ------ ------ ------ ------ ----
0xfffffa801af105c0:explorer.exe 1000 1332 31 896 2020-08-26 09:11:21 UTC+0000
. 0xfffffa801b024780:WzPreloader.ex 2264 1000 6 123 2020-08-26 09:11:21 UTC+0000
. 0xfffffa801adeaa40:mspaint.exe 1044 1000 7 133 2020-08-26 09:20:28 UTC+0000
. 0xfffffa801aca4060:chrome.exe 3700 1000 33 986 2020-08-26 09:12:48 UTC+0000
.. 0xfffffa801af86b00:chrome.exe 2560 3700 13 337 2020-08-26 09:12:48 UTC+0000
.. 0xfffffa8019ac0640:chrome.exe 3992 3700 14 216 2020-08-26 09:13:33 UTC+0000
.. 0xfffffa8018e55b00:chrome.exe 3304 3700 8 231 2020-08-26 09:12:50 UTC+0000
.. 0xfffffa8019b5b5f0:chrome.exe 540 3700 13 171 2020-08-26 09:13:21 UTC+0000
.. 0xfffffa801ab9c750:chrome.exe 3752 3700 8 93 2020-08-26 09:12:48 UTC+0000
.. 0xfffffa8019b60060:chrome.exe 3816 3700 13 195 2020-08-26 09:13:22 UTC+0000
.. 0xfffffa8019a5b360:chrome.exe 3528 3700 11 209 2020-08-26 09:12:55 UTC+0000
.. 0xfffffa8019b2ab00:chrome.exe 616 3700 26 332 2020-08-26 09:13:21 UTC+0000
.. 0xfffffa8019b6fb00:chrome.exe 2516 3700 17 294 2020-08-26 09:13:32 UTC+0000
. 0xfffffa8019bf7060:DumpIt.exe 1764 1000 2 52 2020-08-26 09:22:18 UTC+0000
0xfffffa801a74db00:wininit.exe 388 348 3 84 2020-08-26 09:10:27 UTC+0000
. 0xfffffa801a74e7e0:services.exe 488 388 8 232 2020-08-26 09:10:27 UTC+0000
.. 0xfffffa801aaba450:svchost.exe 3308 488 14 339 2020-08-26 09:12:31 UTC+0000
.. 0xfffffa801abff060:svchost.exe 1240 488 18 311 2020-08-26 09:10:29 UTC+0000
.. 0xfffffa801aa64510:svchost.exe 900 488 38 1047 2020-08-26 09:10:27 UTC+0000
... 0xfffffa8019bf2060:wuauclt.exe 1876 900 3 98 2020-08-26 09:13:33 UTC+0000
.. 0xfffffa8019bc0b00:svchost.exe 3284 488 7 110 2020-08-26 09:20:28 UTC+0000
.. 0xfffffa801a9e6b00:svchost.exe 680 488 8 298 2020-08-26 09:10:27 UTC+0000
.. 0xfffffa801a976b00:mscorsvw.exe 4012 488 6 93 2020-08-26 09:12:30 UTC+0000
.. 0xfffffa801b3211e0:svchost.exe 2996 488 10 366 2020-08-26 09:11:29 UTC+0000
.. 0xfffffa801ab61b00:svchost.exe 1336 488 10 147 2020-08-26 09:10:30 UTC+0000
.. 0xfffffa801aecf5f0:taskhost.exe 2036 488 10 234 2020-08-26 09:11:20 UTC+0000
.. 0xfffffa8018e10b00:spoolsv.exe 1212 488 14 299 2020-08-26 09:10:29 UTC+0000
.. 0xfffffa801ab66b00:svchost.exe 1096 488 16 480 2020-08-26 09:10:29 UTC+0000
.. 0xfffffa801ae2e060:sppsvc.exe 1360 488 4 151 2020-08-26 09:10:34 UTC+0000
.. 0xfffffa8018e4f4f0:svchost.exe 1748 488 7 104 2020-08-26 09:10:30 UTC+0000
.. 0xfffffa801a9bb060:svchost.exe 600 488 11 367 2020-08-26 09:10:27 UTC+0000
... 0xfffffa801a5f95f0:WmiPrvSE.exe 952 600 5 120 2020-08-26 09:11:30 UTC+0000
.. 0xfffffa801ae824b0:mscorsvw.exe 4052 488 6 83 2020-08-26 09:12:31 UTC+0000
.. 0xfffffa801aa4a860:svchost.exe 864 488 22 574 2020-08-26 09:10:27 UTC+0000
.. 0xfffffa801b20fb00:wmpnetwk.exe 2768 488 14 494 2020-08-26 09:11:28 UTC+0000
.. 0xfffffa801ac9bb00:svchost.exe 1388 488 22 340 2020-08-26 09:10:30 UTC+0000
.. 0xfffffa801aa34b00:svchost.exe 808 488 26 533 2020-08-26 09:10:27 UTC+0000
... 0xfffffa8019f45870:dwm.exe 1604 808 3 80 2020-08-26 09:11:20 UTC+0000
.. 0xfffffa801a9ecb00:svchost.exe 756 488 23 588 2020-08-26 09:10:27 UTC+0000
... 0xfffffa801aa879b0:audiodg.exe 968 756 8 148 2020-08-26 09:10:28 UTC+0000
.. 0xfffffa801aec4480:SearchIndexer. 2644 488 13 711 2020-08-26 09:11:27 UTC+0000
.. 0xfffffa801aab6410:TrustedInstall 1020 488 5 147 2020-08-26 09:10:28 UTC+0000
. 0xfffffa801a5f3b00:lsass.exe 496 388 10 752 2020-08-26 09:10:27 UTC+0000
. 0xfffffa801a79a550:lsm.exe 504 388 10 147 2020-08-26 09:10:27 UTC+0000
0xfffffa801a738060:csrss.exe 356 348 10 459 2020-08-26 09:10:26 UTC+0000
0xfffffa8018da8040:System 4 0 103 585 2020-08-26 09:10:17 UTC+0000
. 0xfffffa8019ebdb00:smss.exe 264 4 2 32 2020-08-26 09:10:17 UTC+0000
0xfffffa801a72fa00:csrss.exe 404 380 9 384 2020-08-26 09:10:27 UTC+0000
. 0xfffffa801b2ad060:conhost.exe 2592 404 2 56 2020-08-26 09:22:18 UTC+0000
0xfffffa801a763930:winlogon.exe 448 380 5 122 2020-08-26 09:10:27 UTC+0000
0xfffffa801b01d480:FAHWindow64.ex 2252 2240 2 77 2020-08-26 09:11:21 UTC+0000


The only obvious process name that could be used for chatting is the Chrome browser (chrome.exe).

There was an interesting tutorial that is important to extract the web browser's history using Volatility plugin: [Volatility Plugin – Chrome History](https://blog.superponible.com/2014/08/31/volatility-plugin-chrome-history/).


git clone https://github.com/superponible/volatility-plugins


And I used it to extract the browser's history.


volatility foren.raw --plugins=volatility-plugins/ -f foren.raw --profile=Win7SP0x64 chromehistory


Output:


Volatility Foundation Volatility Framework 2.6
Index URL Title Visits Typed Last Visit Time Hidden Favicon ID
------ -------------------------------------------------------------------------------- -------------------------------------------------------------------------------- ------ ----- -------------------------- ------ ----------
82 https://ctf.fword.wtf/ Fword CTF 1 0 2020-08-26 09:13:01.342381 N/A
79 https://discord.gg/beEcn8Q FwordCTF 1 0 2020-08-26 09:12:58.178974 N/A
80 https://discord.com/invite/beEcn8Q FwordCTF 1 0 2020-08-26 09:12:58.178974 N/A
77 http://fword.wtf/ Fword CTF 1 0 2020-08-26 09:12:55.299362 N/A
78 https://fword.wtf/ Fword CTF 1 1 2020-08-26 09:12:55.299362 N/A
92 https://www.youtube.com/watch?v=sT1TFWDvL78&list=RD1XsfrpqXPc0&index=2 Lomepal - Trop Beau (Emma Péters Cover & Crisologo Remix) - YouTube 1 0 2020-08-26 09:16:56.579216 N/A
90 https://webchat.freenode.net/ Kiwi IRC - The web IRC client 1 1 2020-08-26 09:13:32.517035 N/A
89 http://webchat.freenode.net/ Kiwi IRC - The web IRC client 1 0 2020-08-26 09:13:32.517035 N/A
91 https://gofile.io/d/k2RkIS Gofile 1 0 2020-08-26 09:16:55.222846 N/A


Apart Facebook, Twitter, Fword platform, Youtube and the Fword's discord's public channel, there was 2 websites that could be used for a secret chat: https://gofile.io/d/k2RkIS (Gofile used to share files) and https://webchat.freenode.net/ (Kiwi IRC - The web IRC client which is an IRC web client used for IRC chatting).

Personally, when I saw the Gofile website I forget to follow the IRC track and I will discuss about this in the next task Memory 3 because that file is intended for that task and we can't solve it or validate its flag before seeing the flag of the actual task Memory 2. And I figured out that I needed to catch for any data related to the IRC chat that occurred in the Chrome web browser. But since I wasn't be able to find a clean method to do that, I used the strings command and I searched for any keyword related to IRC.


strings foren.raw > /tmp/foen_strings.log
grep -i "freenode " /tmp/foen_strings.log


Output:


[REDACTED]
ha[":1 :[email protected] PRIVMSG #FwordCTF{top_secret_channel} :Hmmm"]ha[":1 :stross.freenode.net PONG stross.freenode.net :"]ha[":1 :[email protected] PRIVMSG #FwordCTF{top_secret_channel} :No problem I'll give it again .. "]a[":1 :[email protected] PRIVMSG #FwordCTF{top_secret_channel} :Just be careful this time"]ha[":1 :[email protected] PRIVMSG #FwordCTF{top_secret_channel} :The password is"]a[":1 :[email protected] PRIVMSG #FwordCTF{top_secret_channel} :fw0rdsecretp4ss"]ha[":1 :stross.freenode.net PONG stross.freenode.net :"]a[":1 :[email protected] PRIVMSG #FwordCTF{top_secret_channel} :See yaa Bahlous \\o"]hha[":1 :stross.freenode.net PONG stross.freenode.net :"]ha[":1 :stross.freenode.net PONG stross.freenode.net :"]ha[":1 :stross.freenode.net PONG stross.freenode.net :"]ha[":1 :stross.freenode.net PONG stross.freenode.net :"]h
[REDACTED]


For the people that know the IRC commands, /PRIVMSG is used to join a channel using the channel name. So, the channel name is #FwordCTF{top_secret_channel} (the # is mandatory in IRC channel names).

This task could be easily be solved using strings foren.raw | grep FwordCTF. But this is not a good idea because it's useless to solve a task using such method since it doesn't explain the real purpose of the task.

So, the flag is FwordCTF{top_secret_channel}.
___

## Memory 3

**Category:** Forensics
**Points:** 405
**Author:** Semah BA & KOOLI
**Description:**

> He sent me a secret file , can you recover it ?

> PS: NO BRUTEFORCE NEEDED FOR THE PASSWORD

> File: [foren.7z](resources/forensics-73-memory/foren.7z)

**Hint:**

>(no hint)

### Write-up

Following the initial setups of the previous task Memory and the last steps of the task Memory 2, in this task we have to find the file that the author's friend sent to him.

We already know that a file was shared on Gofile according to the web browser's history.


volatility foren.raw --plugins=volatility-plugins/ -f foren.raw --profile=Win7SP0x64 chromehistory


Output:


Volatility Foundation Volatility Framework 2.6
Index URL Title Visits Typed Last Visit Time Hidden Favicon ID
------ -------------------------------------------------------------------------------- -------------------------------------------------------------------------------- ------ ----- -------------------------- ------ ----------
82 https://ctf.fword.wtf/ Fword CTF 1 0 2020-08-26 09:13:01.342381 N/A
79 https://discord.gg/beEcn8Q FwordCTF 1 0 2020-08-26 09:12:58.178974 N/A
80 https://discord.com/invite/beEcn8Q FwordCTF 1 0 2020-08-26 09:12:58.178974 N/A
77 http://fword.wtf/ Fword CTF 1 0 2020-08-26 09:12:55.299362 N/A
78 https://fword.wtf/ Fword CTF 1 1 2020-08-26 09:12:55.299362 N/A
92 https://www.youtube.com/watch?v=sT1TFWDvL78&list=RD1XsfrpqXPc0&index=2 Lomepal - Trop Beau (Emma Péters Cover & Crisologo Remix) - YouTube 1 0 2020-08-26 09:16:56.579216 N/A
90 https://webchat.freenode.net/ Kiwi IRC - The web IRC client 1 1 2020-08-26 09:13:32.517035 N/A
89 http://webchat.freenode.net/ Kiwi IRC - The web IRC client 1 0 2020-08-26 09:13:32.517035 N/A
91 https://gofile.io/d/k2RkIS Gofile 1 0 2020-08-26 09:16:55.222846 N/A


The file that we are searching for was available in this web page: [https://gofile.io/d/k2RkIS](https://gofile.io/d/k2RkIS).

That file was an compressed and encrypted .zip file

And since in the description, the author asked to avoid brute forcing the password, I knew that he was talking about the .zip file.

Personally, since the Memory tasks are chained (the next task will be visible only if you solve the actual task), I was able to solve the Memory 3 task (without seeing its description) before the Memory 2 task and even if the flag of the Memory 2 task was there in the output of the strings command (see the previous task), I don't know why I ignored it and I was focused on a way to extract the flag from the compressed encrypted .zip file and I figured out that the author was talking with his friend on IRC so I checked again the conversation adn I found that they shared the file's password there.

But without seeing the Memory 3's description, I didn't know that brute forcing the .zip's password can't help me because I tried it and I failed. And from this moment, I asked myself why can't I try to use the strings command to search for the .zip's password there ? And since I know that the password will not be obvious (it will not contain the word FwordCTF), I tried the following commands.


strings foren.raw > /tmp/foen_strings.log


And I found the common results as the previous task Memory 2.

Output:


[REDACTED]
ha[":1 :[email protected] PRIVMSG #FwordCTF{top_secret_channel} :Hmmm"]ha[":1 :stross.freenode.net PONG stross.freenode.net :"]ha[":1 :[email protected] PRIVMSG #FwordCTF{top_secret_channel} :No problem I'll give it again .. "]a[":1 :[email protected] PRIVMSG #FwordCTF{top_secret_channel} :Just be careful this time"]ha[":1 :[email protected] PRIVMSG #FwordCTF{top_secret_channel} :The password is"]a[":1 :[email protected] PRIVMSG #FwordCTF{top_secret_channel} :fw0rdsecretp4ss"]ha[":1 :stross.freenode.net PONG stross.freenode.net :"]a[":1 :[email protected] PRIVMSG #FwordCTF{top_secret_channel} :See yaa Bahlous \\o"]hha[":1 :stross.freenode.net PONG stross.freenode.net :"]ha[":1 :stross.freenode.net PONG stross.freenode.net :"]ha[":1 :stross.freenode.net PONG stross.freenode.net :"]ha[":1 :stross.freenode.net PONG stross.freenode.net :"]h
[REDACTED]


We will take only a small part:


:[email protected] PRIVMSG #FwordCTF{top_secret_channel} :The password is"]a[":1 :[email protected] PRIVMSG #FwordCTF{top_secret_channel} :fw0rdsecretp4ss"]ha[":1


This is understandable as:


KOOLI!c50e307f is connecting from 197.14.48.127
He is talking from the channel #FwordCTF{top_secret_channel}
He send the message: The password is
He also sent another message: fw0rdsecretp4ss
And he was laughing


So, the password is fw0rdsecretp4ss.

And, when we used it to extract the files from the .zip file, we found an image that contain the flag: [flag1.png](resources/forensics-405-memory_3/flag1.png)

So, the flag is FwordCTF{dont_share_secrets_on_public_channels}.
___

## Memory 4

**Category:** Forensics
**Points:** 492
**Author:** SemahBA & KOOLI
**Description:**

> Since i'm a geek, i hide my secrets in weird places

> File: [foren.7z](resources/forensics-73-memory/foren.7z)

**Hint:**

>(no hint)

### Write-up

Following the initial setups of the previous task Memory, in this task we have to find the flag in the weird place.

I wanted to predict where the flag is by using the timeline of the process executions and by excluding the system processes and the processes that we already worked on in the previous tasks but as usual I found the flag of the next task Memory 5 before finding the flag of the actual task Memory 4.

And when I wanted to understand what does that mean weird place, if this can't be the processes that we already worked on and that could be related to geeks, I thought about the user's registry keys.

So, I get back to the following command.


volatility -f foren.raw --profile=Win7SP0x64 hivelist


Output:


Volatility Foundation Volatility Framework 2.6
Virtual Physical Name
------------------ ------------------ ----
0xfffff8a000b0f410 0x000000002720d410 \??\C:\Windows\ServiceProfiles\LocalService\NTUSER.DAT
0xfffff8a000d00010 0x000000001ff75010 \??\C:\Windows\ServiceProfiles\NetworkService\NTUSER.DAT
0xfffff8a000f8b410 0x00000000175e8410 \??\C:\Windows\System32\config\COMPONENTS
0xfffff8a00145f010 0x0000000027d9b010 \SystemRoot\System32\Config\DEFAULT
0xfffff8a0014da410 0x00000000275c0410 \SystemRoot\System32\Config\SAM
0xfffff8a0033fe410 0x0000000069de6410 \??\C:\Users\SBA_AK\ntuser.dat
0xfffff8a0036e7010 0x0000000069188010 \??\C:\Users\SBA_AK\AppData\Local\Microsoft\Windows\UsrClass.dat
0xfffff8a0038fe280 0x0000000068390280 \??\C:\System Volume Information\Syscache.hve
0xfffff8a00000f010 0x000000002cfef010 [no name]
0xfffff8a000024010 0x000000002d07a010 \REGISTRY\MACHINE\SYSTEM
0xfffff8a000058010 0x000000002d3ae010 \REGISTRY\MACHINE\HARDWARE
0xfffff8a000846010 0x000000002a0e9010 \Device\HarddiskVolume1\Boot\BCD
0xfffff8a000873010 0x0000000013880010 \SystemRoot\System32\Config\SOFTWARE
0xfffff8a000ab8010 0x0000000027455010 \SystemRoot\System32\Config\SECURITY


And since we know that the user that we are investigating is SBA_AK, we have two file paths that we have might need to check: \??\C:\Users\SBA_AK\ntuser.dat or/and \??\C:\Users\SBA_AK\AppData\Local\Microsoft\Windows\UsrClass.dat.

I started with the first one and I used its virtual offset in the volatility command to list the registry keys.


volatility -f foren.raw --profile=Win7SP0x64 printkey -o 0xfffff8a0033fe410


Output:


Volatility Foundation Volatility Framework 2.6
Legend: (S) = Stable (V) = Volatile

----------------------------
Registry: \??\C:\Users\SBA_AK\ntuser.dat
Key name: CMI-CreateHive{D43B12B8-09B5-40DB-B4F6-F6DFEB78DAEC} (S)
Last updated: 2020-08-26 09:11:20 UTC+0000

Subkeys:
(S) AppEvents
(S) Console
(S) Control Panel
(S) Environment
(S) EUDC
(S) FLAG
(S) Identities
(S) Keyboard Layout
(S) Network
(S) Printers
(S) Software
(S) System
(V) Volatile Environment

Values:


And that's how I soptted the subkey FLAG that might contain the flag.

Then, I printed its value.


volatility -f foren.raw --profile=Win7SP0x64 printkey -o 0xfffff8a0033fe410 -K "FLAG"


Output:


Volatility Foundation Volatility Framework 2.6
Legend: (S) = Stable (V) = Volatile

----------------------------
Registry: \??\C:\Users\SBA_AK\ntuser.dat
Key name: FLAG (S)
Last updated: 2020-08-25 18:45:05 UTC+0000

Subkeys:

Values:
REG_SZ : (S) FwordCTF{hiding_secrets_in_regs}


So, the flag is FwordCTF{hiding_secrets_in_regs}.
___

## Memory 5

**Category:** Forensics
**Points:** 495
**Author:** SemahBA & KOOLI
**Description:**

> I'm an artist too, i love painting. I always paint in these dimensions 600x300

> File: [foren.7z](resources/forensics-73-memory/foren.7z)

**Hint:**

>(no hint)

### Write-up

Following the initial setups of the previous task Memory, in this task we have to find the flag in the weird place.

Since I solved this task Memory 5 before solving the Memory 4 task, I didn't have the chance to read its description because the task Memory 5 will not be visible unless I solve the Memory 4 task.

I wanted to predict where the flag is by using the timeline of the process executions and by excluding the system processes and the processes that we already worked on in the previous tasks.


volatility -f foren.raw --profile=Win7SP0x64 pslist


Output:


Volatility Foundation Volatility Framework 2.6
Offset(V) Name PID PPID Thds Hnds Sess Wow64 Start Exit
------------------ -------------------- ------ ------ ------ -------- ------ ------ ------------------------------ ------------------------------
0xfffffa8018da8040 System 4 0 103 585 ------ 0 2020-08-26 09:10:17 UTC+0000
0xfffffa8019ebdb00 smss.exe 264 4 2 32 ------ 0 2020-08-26 09:10:17 UTC+0000
0xfffffa801a738060 csrss.exe 356 348 10 459 0 0 2020-08-26 09:10:26 UTC+0000
0xfffffa801a74db00 wininit.exe 388 348 3 84 0 0 2020-08-26 09:10:27 UTC+0000
0xfffffa801a72fa00 csrss.exe 404 380 9 384 1 0 2020-08-26 09:10:27 UTC+0000
0xfffffa801a763930 winlogon.exe 448 380 5 122 1 0 2020-08-26 09:10:27 UTC+0000
0xfffffa801a74e7e0 services.exe 488 388 8 232 0 0 2020-08-26 09:10:27 UTC+0000
0xfffffa801a5f3b00 lsass.exe 496 388 10 752 0 0 2020-08-26 09:10:27 UTC+0000
0xfffffa801a79a550 lsm.exe 504 388 10 147 0 0 2020-08-26 09:10:27 UTC+0000
0xfffffa801a9bb060 svchost.exe 600 488 11 367 0 0 2020-08-26 09:10:27 UTC+0000
0xfffffa801a9e6b00 svchost.exe 680 488 8 298 0 0 2020-08-26 09:10:27 UTC+0000
0xfffffa801a9ecb00 svchost.exe 756 488 23 588 0 0 2020-08-26 09:10:27 UTC+0000
0xfffffa801aa34b00 svchost.exe 808 488 26 533 0 0 2020-08-26 09:10:27 UTC+0000
0xfffffa801aa4a860 svchost.exe 864 488 22 574 0 0 2020-08-26 09:10:27 UTC+0000
0xfffffa801aa64510 svchost.exe 900 488 38 1047 0 0 2020-08-26 09:10:27 UTC+0000
0xfffffa801aa879b0 audiodg.exe 968 756 8 148 0 0 2020-08-26 09:10:28 UTC+0000
0xfffffa801aab6410 TrustedInstall 1020 488 5 147 0 0 2020-08-26 09:10:28 UTC+0000
0xfffffa801ab66b00 svchost.exe 1096 488 16 480 0 0 2020-08-26 09:10:29 UTC+0000
0xfffffa8018e10b00 spoolsv.exe 1212 488 14 299 0 0 2020-08-26 09:10:29 UTC+0000
0xfffffa801abff060 svchost.exe 1240 488 18 311 0 0 2020-08-26 09:10:29 UTC+0000
0xfffffa801ab61b00 svchost.exe 1336 488 10 147 0 0 2020-08-26 09:10:30 UTC+0000
0xfffffa801ac9bb00 svchost.exe 1388 488 22 340 0 0 2020-08-26 09:10:30 UTC+0000
0xfffffa8018e4f4f0 svchost.exe 1748 488 7 104 0 0 2020-08-26 09:10:30 UTC+0000
0xfffffa801ae2e060 sppsvc.exe 1360 488 4 151 0 0 2020-08-26 09:10:34 UTC+0000
0xfffffa801aecf5f0 taskhost.exe 2036 488 10 234 1 0 2020-08-26 09:11:20 UTC+0000
0xfffffa8019f45870 dwm.exe 1604 808 3 80 1 0 2020-08-26 09:11:20 UTC+0000
0xfffffa801af105c0 explorer.exe 1000 1332 31 896 1 0 2020-08-26 09:11:21 UTC+0000
0xfffffa801b01d480 FAHWindow64.ex 2252 2240 2 77 1 0 2020-08-26 09:11:21 UTC+0000
0xfffffa801b024780 WzPreloader.ex 2264 1000 6 123 1 0 2020-08-26 09:11:21 UTC+0000
0xfffffa801aec4480 SearchIndexer. 2644 488 13 711 0 0 2020-08-26 09:11:27 UTC+0000
0xfffffa801b20fb00 wmpnetwk.exe 2768 488 14 494 0 0 2020-08-26 09:11:28 UTC+0000
0xfffffa801b3211e0 svchost.exe 2996 488 10 366 0 0 2020-08-26 09:11:29 UTC+0000
0xfffffa801a5f95f0 WmiPrvSE.exe 952 600 5 120 0 0 2020-08-26 09:11:30 UTC+0000
0xfffffa801a976b00 mscorsvw.exe 4012 488 6 93 0 1 2020-08-26 09:12:30 UTC+0000
0xfffffa801ae824b0 mscorsvw.exe 4052 488 6 83 0 0 2020-08-26 09:12:31 UTC+0000
0xfffffa801aaba450 svchost.exe 3308 488 14 339 0 0 2020-08-26 09:12:31 UTC+0000
0xfffffa801aca4060 chrome.exe 3700 1000 33 986 1 0 2020-08-26 09:12:48 UTC+0000
0xfffffa801ab9c750 chrome.exe 3752 3700 8 93 1 0 2020-08-26 09:12:48 UTC+0000
0xfffffa801af86b00 chrome.exe 2560 3700 13 337 1 0 2020-08-26 09:12:48 UTC+0000
0xfffffa8018e55b00 chrome.exe 3304 3700 8 231 1 0 2020-08-26 09:12:50 UTC+0000
0xfffffa8019a5b360 chrome.exe 3528 3700 11 209 1 0 2020-08-26 09:12:55 UTC+0000
0xfffffa8019b2ab00 chrome.exe 616 3700 26 332 1 0 2020-08-26 09:13:21 UTC+0000
0xfffffa8019b5b5f0 chrome.exe 540 3700 13 171 1 0 2020-08-26 09:13:21 UTC+0000
0xfffffa8019b60060 chrome.exe 3816 3700 13 195 1 0 2020-08-26 09:13:22 UTC+0000
0xfffffa8019b6fb00 chrome.exe 2516 3700 17 294 1 0 2020-08-26 09:13:32 UTC+0000
0xfffffa8019ac0640 chrome.exe 3992 3700 14 216 1 0 2020-08-26 09:13:33 UTC+0000
0xfffffa8019bf2060 wuauclt.exe 1876 900 3 98 1 0 2020-08-26 09:13:33 UTC+0000
0xfffffa801adeaa40 mspaint.exe 1044 1000 7 133 1 0 2020-08-26 09:20:28 UTC+0000
0xfffffa8019bc0b00 svchost.exe 3284 488 7 110 0 0 2020-08-26 09:20:28 UTC+0000
0xfffffa8019bf7060 DumpIt.exe 1764 1000 2 52 1 1 2020-08-26 09:22:18 UTC+0000
0xfffffa801b2ad060 conhost.exe 2592 404 2 56 1 0 2020-08-26 09:22:18 UTC+0000


And I found that the only process that we didn't already checked and that was executed later was mspaint.exe (Paint).

Now, coming back to the reality, the task description was mentioning the Paint tool.

And the challenge that I tried to solve is more difficult because without the task's description, I didn't have the image's dimensions.

I have the process name and the process ID that I have to work on in order to extract the painted image from the memory that contain the flag.

I followed this write-up to do that: [Google CTF 2016 – Forensic “For1” Write-up](https://www.rootusers.com/google-ctf-2016-forensic-for1-write-up/).

And the first step that I needed to do was to extract the memory dump for that specific process.


volatility -f foren.raw --profile=Win7SP0x64 memdump -p 1044 -D /tmp


The extracted memory dump file will be located on /tmp/1044.dmp.

And as pointed in the mentioned write-up, we have to download Gimp, to rename the file from 1044.dmp to 1044.data and to open it using Gimp.

The extracted file 1044.dmp was bigger than the memory dump and I still can't explain why we see such behavior when we dump the process in a separate file.

And as I said, when I solved this task, I didn''t have the image's dimensions and when I opened the 1044.data file using Gimp, I had 3 parameters to change: the offset, the width and the height.

But I found that the height parameter is not really important because we only need to change the width because as I understood, the width will limit the number of pixels per line and if the width is incorrect, all the lines after the first line will be shifted and that will avoid us to see the image because every next line will be also shifted from the previous line.

The first time, I tried to work with a larger width because I was saying that I will see the whole picture when the windows is larger but this is not always correct.

The offset is used to scroll the image between the left and the right by shifting or popping the pixels in the view (from the beginning first index and the last index of the array).

This makes the width more important than the offset.

So, if we have the correct width, we can clearly find the painted image only by changing the offset because we will be scrolling the memory dump until we get to the painted image since the memory dump must contain the data of that process and Paint's data is an image.

The only thing that made me lucky in this task is, I though that we have to guess the image dimensions that that will not be difficult. So, I supposed that the painted image will be square shaped. And when I used a larger width and I changed the offset from the min to the max and I didn't find any interesting thing, I reduced the width until 350 or 400. And I changed again the offset from the minimum to the maximum until I found an interesting blank image that contains some random lines. Then, I changed the width and the height to make the image square (but as I said, changing the height will not be useful since the image can be visible with a wrong height) until I found an interesting image with a width equals to 300 but the image was still not clear. So, I changed the width from 100, 200, 300, 400, 500, 600 and Bingo! the width was 600. And the image is still clear with a width proportional to 600 (like 1200, 1800, 2400).

Then, I took a screenshot on that image and I rotated it to see the flag clearly.

So, the flag is FwordCTF{Paint_Skills_FTW!}.

___

# Scoreboard

After solving all these tasks in a team of two players (the third team member had an issue and was not able to join the party), our team **[S3c5murf](https://ctftime.org/team/63808)** get the score 3277 and get ranked 67/360 out of the teams that had a score greater than 0 :

...

...

Original writeup (https://github.com/mohamedaymenkarmous/CTF/tree/master/FwordCTF2020#memory-5).