Rating:

# Help Me

The given memory dump contains the flag which is splitted in 3 parts. Let's analyse it with volatility:


python2 /opt/volatility/vol.py -f Challenge.vmem imageinfo


We see Win7SP1x64 being a possible profile so we'll use this one. I often start my analysis by saving the output of filescan while checking the iehistory:


python2 /opt/volatility/vol.py --profile=Win7SP1x64 -f Challenge.vmem iehistory
...
C:/Users/alexander/Documents/Part%20II.png
...


It shows some interesting files that seemed to be downloaded on the machine, as filescan confirms.


0x000000007e269310 12 0 R--r-d \Device\HarddiskVolume1\Users\alexander\Documents\Part II.png


We also see that strange DumpIt.exe that we'll check after. Let's dump both part 2 and part 3 with


python2 /opt/volatility/vol.py --profile=Win7SP1x64 -f Challenge.vmem dumpfiles -D dumped -Q [addr]


I started with the third part in the Python script. In the order:

- it waits for an input
- it calls a first decoding function on this input
- it calls a second decoding function on the decoded result
- it checks if the final decoded string is equal to the expected one
- if yes, then it prints the flag from a decoding function, else it just returns.

Here are those functions, after cleaning the code and renaming functions properly:

`python
#!/usr/bin/env python3

s = 4
y = []
Z = []
res = []
expected="uh27bio:uY

Original writeup (https://github.com/Ewael/CTFs/tree/master/2021/ShaktiCTF/Forensics/HelpMe).