Rating:

Honestly? Go view the GitHub URL instead of looking here.

## Notes (notes)

### Description - notes

Solved By: [OreoByte](https://github.com/OreoByte)

Author: [goproslowyo](https://github.com/goproslowyo)

We're given a memory dump to analyze. Inside we find a base64 encoded string on the users clipboard containing the flag.

### Process - notes

1. Downloaded `image.mem` for the challenge.

```shell
root@ip-10-10-162-135:~/repos# curl -LO http://static.ctf.umasscybersec.org/forensics/13096721-bb26-4b79-956f-3f0cddebd49b/image.mem
```

1. Analyze the memory dump:
- Using the `imageinfo` command can help to identify the correct profile to use later with the `--profile=[profile]` argument. From the output it seems like it's a `Windows 7 Service Pack 1` memory dump.
- We can get the same results without the `grep -vi 'fail'` (we we're removing some error out from python modules with that).

```shell
root@ip-10-10-162-135:~/repos# vol.py -f image.mem imageinfo | grep -vi 'fail'
Volatility Foundation Volatility Framework 2.6.1
INFO : volatility.debug : Determining profile based on KDBG search...
Suggested Profile(s) : Win7SP1x64, Win7SP0x64, Win2008R2SP0x64, Win2008R2SP1x64_24000, Win2008R2SP1x64_23418, Win2008R2SP1x64, Win7SP1x64_24000, Win7SP1x64_23418
AS Layer1 : WindowsAMD64PagedMemory (Kernel AS)
AS Layer2 : FileAddressSpace (/root/repos/image.mem)
PAE type : No PAE
DTB : 0x187000L
KDBG : 0xf80002a3b0a0L
Number of Processors : 6
Image Type (Service Pack) : 1
KPCR for CPU 0 : 0xfffff80002a3cd00L
KPCR for CPU 1 : 0xfffff880009f1000L
KPCR for CPU 2 : 0xfffff88002ea9000L
KPCR for CPU 3 : 0xfffff88002f1f000L
KPCR for CPU 4 : 0xfffff88002f95000L
KPCR for CPU 5 : 0xfffff88002fcb000L
KUSER_SHARED_DATA : 0xfffff78000000000L
Image date and time : 2021-03-20 18:16:12 UTC+0000
Image local date and time : 2021-03-20 13:16:12 -0500
```

1. Hidden in the users clipboard memory dump we find a base64 encoded string.

```shell
root@ip-10-10-162-135:~/repos# vol.py -f image.mem --profile=Win7SP1x64 clipboard
Volatility Foundation Volatility Framework 2.6.1
Session WindowStation Format Handle Object Data
---------- ------------- ------------------ ------------------ ------------------ --------------------------------------------------
1 WinSta0 CF_UNICODETEXT 0x5a00b5 0xfffff900c26aeb60 VU1BU1N7JDNDVVIzXyQ3MFJhZzN9Cg==
1 WinSta0 CF_TEXT 0x64006e00000010 ------------------
1 WinSta0 0x13c01b7L 0x0 ------------------
1 WinSta0 CF_TEXT 0x1 ------------------
1 ------------- ------------------ 0x13c01b7 0xfffff900c06fa270
```

1. Decode the string:

```shell
root@ip-10-10-162-135:~/repos# echo VU1BU1N7JDNDVVIzXyQ3MFJhZzN9Cg== | base64 -d
UMASS{$3CUR3_$70Rag3}
```

### Screen Grabs - notes

#### Analyzing the Memory Dump - notes

![mem dump analysis](./assets/notes/analyze.png)

#### Dumping the Memory Contents - notes

![mem dump contents](./assets/notes/dump.png)

#### Decoding the Flag - notes

![flag decoding](./assets/notes/flag.png)

### Tools Used - notes

1. [Volatility v2.6](https://github.com/volatilityfoundation/volatility/tree/2.6)

Original writeup (https://infosecstreams.github.io/umassctf2021/#notes-notes).