Tags: forensics 

Rating:

challenge descreption : Use the memory image in the Google drive link below. An attacker left behind some evidence in the network connections. Follow the attacker's tracks to find the flag.

challenge hint : Try connecting to the attacker's system.

challenge file : recent-memory.mem

step by step writeup :
1- Given this memory dump, we will use Volatility to proceed. ( command vol.py -f recent-memory.mem windows.netscan.NetScan
( to follow the hint that there are evidence in network connections )

2- after investigation of the connections and the process name we find process name ( nc.exe ) pid ( 2756 )
connection state ( ESTABLISHED ) ip ( 161.35.53.62 ) port ( 5283 ) it seems that the attacker ip

3- hint says Try connecting to the attacker's system. ( using netcat command (nc 161.35.53.62 5283) )

### flag : ctf{f0ll0w_7h3_7r41l}