PearlCTF 2024: The-3-Fragmenteers [Forensics] WriteUp
So this was my second shot at a CTF Competition and I feel quite happy with the progress I made during this CTF and was able to solve a challenge which lies beyond my expertise.
This is my WriteUp on How I solved and approached the challenge The-3-Fragmenteers challenge.
My team name was astralis, and it consisted of me (prix) and my mate Darsh Patel (trench).
So, I started by viewing the challenges and came across The-3-Fragmenteers challenge.
Description of the Challenge: My friends got their hands on my system and told me he did something to a file that was important to me. Help me discover what he did.
The challenge provide you to download a file named:
‘the-3-fragmenteers.7z’
So, I extracted the contents of this file and found another file named:
dump_3.raw
Now, this was my first time dealing with a memory dump, so I had no clue on where to begin solving such a challenge. A quick google search led me to an amazing guide by John Hammond on YouTube:
So, I got the idea on how and where to begin looking. So I immediately pulled Volatility3 from GitHub. I then copied the memory dump into the Volatality3 folder.
Now, I followed the guide provided by John Hammond and executed a command to get an initial gist of the memory dump:
python3 vol.py -f dump_3.raw windows.infoThis command is quite useful as it provides detailed information about the image you’re trying to analyze. Running this command revealed the following:
This to me indicates that the memory dump is of an Operating System running Windows.
Now, I read the description again and we see a reference of ‘file’ that was important to the user. So straight up I thought, can I somehow retrieve the files from this memory dump? The answer is a Yes! How do we do that though? A simple Google Search reveals a plugin called as filescan. So immediately I go onto executing it:
python3 vol.py -f dump_3.raw windows.filescan > filescan.txtThis, would retrieve all the files recorded by the memory dump and store it into a new file named ‘filescan.txt’
So, now it’s time to dig into the filescan.txt. The first thing I see is a huge list of files, their size and their Offset (Virtual Address):
So, now I start digging and checking the file names. Initially it did look a bit overwhelming, but I tried filtering out searching for files with the extension “.txt”. And boom! we’ve a new lead. We find filenames which look suspicious:
So, now we have the file names. And the name of the challenge The-3-Fragmenteers also hints towards a possibility of 3 files. But now what? How do we move further? Another Google Search reveals the ability to retrieve the files by providing their Offset. Great, so now let’s try that and attempt to retrieve the File 1 (suspicious.txt):
python3 vol.py -f dump*.raw windows.dumpfiles - virtaddr 0xe38e74c110f0This retrieved the “suspicious.txt” file and stored into the current directory. Now we open the file and view what exactly lies inside it.
So immediately we’re given a link to a file hosted on mega.nz followed by a riddle. So we access the link and find that the file is a rar file. I downloaded it, and tried extracting it but it asks for a password, and I reckon the password is the answer to the riddle. So I try out several keywords but was unable to find the password. Now, I started looking at each and every word in the riddle and started thinking about the potential passwords. I tried out, Darkness, Sunset, and a few more. Then I tried the password “reflection” and boom! we’ve got access to the file.
Upon decrypting, we find two files namely: “hint1.txt” and “xaa.unknown”
Now we view, the hint1.txt and find this:
The file xaa.unknown has some references to a PDF File but it looks incomplete. So now we move on to decoding the meaning of the hint. It says: “2nd part might bhi present at the place at opens up when u start the system…” This indicates me that the file is present on Desktop, but luckily we’ve already managed to retrieve all the three file names. So now we’ll retrieve both the files and check their content out.
python3 vol.py -f dump*.raw windows.dumpfiles --virtaddr 0xe38e7500d270
python3 vol.py -f dump*.raw windows.dumpfiles --virtaddr 0xe38e740b1c70The second file named: “afsidasbjdbkgewfsdf.txt ” contains some hex-data. So we copy that file and go over to cryptii, in an attempt to decode it. This is what I found:
Wow, this is getting interesting! We have a link to another file that is hosted on mega.nz, so we visit the link and get a file named xab.unknown. Looks like we’re moving on the right path! Additionally, the text also reveals the 3rd file’s name is base64 encoded. So I check the file name and indeed it looks like a base64 string: “aHR0cHM6Ly9tZWdhLm56L2ZpbGUvTW54a1JMS0IjREpka1JKYWU3ajNTeExPaExoMG5lSUtLM01UMk9relFReGNFT3FHdHhhMA==.txt”. So we again visit cryptii, with an attempt to decode the base64 string.
Additionally, the file with the name in a base64 string also contains some hexadecimal data. So we again visit cryptii in an attempt to decode the cipher text. And this time we find:
Okay! It looks like we’re almost there now. Now we’ve three files with us named: “xaa.unknown”, “xab.unknown” and “xac.unknown”. But what next? How do I find the flag? We again go to Google and start looking for xaa, xab and xac. The very first result shows how to merge files after splitting them into pieces. So I immediately try that out:
Oh great, we can see that the file is merged and a PDF Document. I quickly opened the PDF Document to check what lies inside it. It looks like a part of some book, so I search for the flag inside it and BOOM! There we have it:
