Rating:

# Full WriteUp
Full Writeup on our website: [http://www.aperikube.fr/docs/acebear_2018_memory/](http://www.aperikube.fr/docs/acebear_2018_memory/)

-----
# TL;DR
*Memory* is a Windows memory dump, quickly identified with *AutoVol*. In the *C:\Users\Administrator\Documents* there are 2 *rtf* files:

* document.rtf: Containing a spam message
* usc_command.rtf: Containing a writeup of “Just Keyp Trying” challenge from PicoCTF 2017.

After a quick search on internet, there is a steganography technique called *spammimic*. It uses spam to hide the real message.

To encode / decode spammimic message: [http://www.spammimic.com/](http://www.spammimic.com/)

After that I obtained a base64 string. It’s a google sheet identifier (in the URL).

And the flag is in the sheet.

Original writeup (http://www.aperikube.fr/docs/acebear_2018_memory/).