Can you handle these files?
Description
CTF: Whitehacks 2021
Download the memory image from one of the sources.
An attacker is in our system and has left a note behind. Can you find the link in his note that leads us to the flag? Hint: Flag can be found by accessing the URL.
memdump.mem.txt
Solution
Pwned by @teamfreestuff
To analyse the memdump, we can use volatility.
# Get list of running processes and filter out lines with 'notepad'.$ vol.py -f memdump.mem --profile=Win7SP1x64 pstree | grep 'notepad'
Volatility Foundation Volatility Framework 2.6.1. 0xfffffa8002990920:notepad.exe 3800 2332 1 61 2021-02-20 14:17:11 UTC+0000. 0xfffffa80039481a0:notepad.exe 3380 2332 1 61 2021-02-20 14:17:12 UTC+0000. 0xfffffa800426c6a0:notepad.exe 3352 2332 1 61 2021-02-20 14:16:43 UTC+0000. 0xfffffa8002627640:notepad.exe 3164 2332 1 61 2021-02-20 14:17:10 UTC+0000We can attempt to dump any of the above processes and strings it to see if anything interesting shows up.
$ vol.py -f memdump.mem --profile=Win7SP1x64 memdump --dump-dir=. -p 3800
Volatility Foundation Volatility Framework 2.6.1************************************************************************Writing notepad.exe [ 3800] to 3800.dmp
$ strings 3800.dmp | grep -C 10 flag.txt
hackunit.txtdead1.lnkwordmacro.txtacronyms.lnkacronyms.lnkcars.lnkdrunk.lnkcoffee.lnkcoffee.lnkdead1.lnkflag.txt.lnkflag2.txt.lnkUntitled.lnkUntitled.lnkViMmViMmViMmViMm{CDC82860-468D-4D4E-B7E7-C298FF23AB2C}DxgK0Y3ACPI_HAL----MmStMmSthbinacronyms.txtbatvirus.txtdrunk.lnkcars.txtMRUListtroj.txttroj.txtflag.txt.lnkcoffee.txtvir.txtvir.txtBLBeExteP9Pref(StabThirnkdead1.txtvirus3.lnk----1702FILE0FILE0FILE02|CcFILE0FILE0FILE0FILE0FLAGTX~1.TXTC:\Users\whitehacks\Desktop\flag.txt.txt1SPSwhitehacks-pcFILE0FILE0FILE0FILE0]VN
FILE0https://imgur.com/a/pRWCNyoI see you have found me............If we visit https://imgur.com/a/pRWCNyo, we find the flag.
WH2021{iSEEuHANDLEDthisWELL}