CTFtime.org / KnightCTF 2024 / Path of the Executable / Writeup

$./vol2 -f /mnt/hgfs/CTF/CTF-events/2024/knightctf/forensic/KnightSquad.DMP --profile=Win7SP1x64_23418 filescan | grep .bat Volatility Foundation Volatility Framework 2.6 0x00000000b947d870 16 0 R--r-- \Device\HarddiskVolume2\Windows\System32\drivers\compbatt.sys 0x00000000b947e780 16 0 R--r-- \Device\HarddiskVolume2\Windows\System32\drivers\battc.sys 0x00000000b983d820 2 0 -W---- \Device\HarddiskVolume2$ Recycle.Bin\S-1-5-21-3042789274-2628191860-436916936-1001$INPNSNE.bat 0x00000000b9932590 2 0 RW-rw- \Device\HarddiskVolume2\Users\siam\Documents\windows.bat 0x00000000ba11bd10 11 0 R--r-d \Device\HarddiskVolume2\Windows\System32\batmeter.dll 0x00000000ba3a7420 16 0 R--r-- \Device\HarddiskVolume2\Windows\Fonts\batang.ttc

opened windows.bat by 'cat' to verify that this file contains previous flag.

Flag format was: KCTF{D:\Program Files\Windows\here}

So the flag is: KCTF{C:\Users\siam\Documents}

Original writeup (https://youtu.be/dCwRMGqFewk?si=qnVDp_tHSyaneJvW).

Path of the Executable

Comments

Sign in with