CTFtime.org / CrewCTF 2023 / Attaaaaack2 / Writeup

# Attaaaaack2

## Background

Q2. How many processes were running ? (number)

Author : 0xSh3rl0ck

![](https://raw.githubusercontent.com/siunam321/CTF-Writeups/main/CrewCTF-2023/images/Pasted%20image%2020230710142816.png)

## Find the flag

After we discovered the suggested profile, we can use the `--profile` option to specify which profile we wanna use.

**Also, volatility2 has a plugin called `pslist`, which prints all running processes by following the EPROCESS lists:**
```shell
┌[siunam♥Mercury]-(~/ctf/CrewCTF-2023/Forensics/Attaaaaack)-[2023.07.08|17:44:27(HKT)]
└> python2 /opt/volatility/vol.py --profile=Win7SP1x86 -f memdump.raw pslist
Volatility Foundation Volatility Framework 2.6.1
Offset(V) Name PID PPID Thds Hnds Sess Wow64 Start Exit
---------- -------------------- ------ ------ ------ -------- ------ ------ ------------------------------ ------------------------------
0x8419c020 System 4 0 89 536 ------ 0 2023-02-20 19:01:19 UTC+0000
0x962f2020 smss.exe 268 4 2 29 ------ 0 2023-02-20 19:01:19 UTC+0000
0x860a8c78 csrss.exe 352 344 9 462 0 0 2023-02-20 19:01:20 UTC+0000
0x855dfd20 wininit.exe 404 344 3 76 0 0 2023-02-20 19:01:20 UTC+0000
0x8550b030 csrss.exe 416 396 9 268 1 0 2023-02-20 19:01:20 UTC+0000
0x85ea2368 services.exe 480 404 8 220 0 0 2023-02-20 19:01:20 UTC+0000
0x85ea8610 lsass.exe 488 404 6 568 0 0 2023-02-20 19:01:20 UTC+0000
0x85eab718 lsm.exe 496 404 10 151 0 0 2023-02-20 19:01:20 UTC+0000
0x85eacb80 winlogon.exe 508 396 5 115 1 0 2023-02-20 19:01:20 UTC+0000
0x85f4d030 svchost.exe 632 480 10 357 0 0 2023-02-20 19:01:21 UTC+0000
0x85ef0a90 svchost.exe 700 480 8 280 0 0 2023-02-20 19:01:21 UTC+0000
0x919e2958 svchost.exe 752 480 22 507 0 0 2023-02-20 19:01:21 UTC+0000
0x85f9c3a8 svchost.exe 868 480 13 309 0 0 2023-02-20 19:01:21 UTC+0000
0x85fae030 svchost.exe 908 480 18 715 0 0 2023-02-20 19:01:21 UTC+0000
0x85fb7670 svchost.exe 952 480 34 995 0 0 2023-02-20 19:01:22 UTC+0000
0x85ff1380 svchost.exe 1104 480 18 391 0 0 2023-02-20 19:01:22 UTC+0000
0x8603a030 spoolsv.exe 1236 480 13 270 0 0 2023-02-20 19:01:22 UTC+0000
0x86071818 svchost.exe 1280 480 19 312 0 0 2023-02-20 19:01:22 UTC+0000
0x860b73c8 svchost.exe 1420 480 10 146 0 0 2023-02-20 19:01:22 UTC+0000
0x860ba030 taskhost.exe 1428 480 9 205 1 0 2023-02-20 19:01:22 UTC+0000
0x861321c8 dwm.exe 1576 868 5 114 1 0 2023-02-20 19:01:23 UTC+0000
0x8613c030 explorer.exe 1596 1540 29 842 1 0 2023-02-20 19:01:23 UTC+0000
0x841d7500 VGAuthService. 1636 480 3 84 0 0 2023-02-20 19:01:23 UTC+0000
0x86189d20 vmtoolsd.exe 1736 1596 8 179 1 0 2023-02-20 19:01:23 UTC+0000
0x8619dd20 vm3dservice.ex 1848 480 4 60 0 0 2023-02-20 19:01:24 UTC+0000
0x861a9030 vmtoolsd.exe 1884 480 13 290 0 0 2023-02-20 19:01:24 UTC+0000
0x861b5360 vm3dservice.ex 1908 1848 2 44 1 0 2023-02-20 19:01:24 UTC+0000
0x861fc700 svchost.exe 580 480 6 91 0 0 2023-02-20 19:01:25 UTC+0000
0x86261030 WmiPrvSE.exe 1748 632 10 204 0 0 2023-02-20 19:01:25 UTC+0000
0x86251bf0 dllhost.exe 400 480 15 196 0 0 2023-02-20 19:01:26 UTC+0000
0x8629e518 msdtc.exe 2168 480 14 158 0 0 2023-02-20 19:01:31 UTC+0000
0x8629e188 SearchIndexer. 2276 480 12 581 0 0 2023-02-20 19:01:31 UTC+0000
0x8630b228 wmpnetwk.exe 2404 480 9 212 0 0 2023-02-20 19:01:32 UTC+0000
0x862cca38 svchost.exe 2576 480 15 232 0 0 2023-02-20 19:01:33 UTC+0000
0x85351030 WmiPrvSE.exe 3020 632 11 242 0 0 2023-02-20 19:01:45 UTC+0000
0x853faac8 ProcessHacker. 3236 1596 9 416 1 0 2023-02-20 19:02:37 UTC+0000
0x843068f8 sppsvc.exe 2248 480 4 146 0 0 2023-02-20 19:03:25 UTC+0000
0x85f89640 svchost.exe 2476 480 13 369 0 0 2023-02-20 19:03:25 UTC+0000
0x843658d0 cmd.exe 2112 2876 1 20 1 0 2023-02-20 19:03:40 UTC+0000
0x84368798 cmd.exe 2928 2876 1 20 1 0 2023-02-20 19:03:40 UTC+0000
0x84365c90 conhost.exe 1952 416 2 49 1 0 2023-02-20 19:03:40 UTC+0000
0x84384d20 conhost.exe 2924 416 2 49 1 0 2023-02-20 19:03:40 UTC+0000
0x84398998 runddl32.exe 300 2876 10 2314 1 0 2023-02-20 19:03:40 UTC+0000
0x84390030 notepad.exe 2556 300 2 58 1 0 2023-02-20 19:03:41 UTC+0000
0x84df2458 audiodg.exe 1556 752 6 129 0 0 2023-02-20 19:10:50 UTC+0000
0x84f1caf8 DumpIt.exe 2724 1596 2 38 1 0 2023-02-20 19:10:52 UTC+0000
0x84f3d878 conhost.exe 3664 416 2 51 1 0 2023-02-20 19:10:52 UTC+0000
```

- The total number of running processes: `47`
- **Flag: `47`**

Original writeup (https://siunam321.github.io/ctf/CrewCTF-2023/Forensics/Attaaaaack1-13/#attaaaaack2).

Attaaaaack2

Comments

Sign in with