Solving the “Crash” Forensics Challenge on Imaginary CTF 2024

In the thrilling world of Capture The Flag (CTF) competitions, there’s always a unique blend of excitement and mystery. One such intriguing challenge was tackled by Alex, a active CTF player, during Imaginary CTF 2024. The forensics puzzle named “Crash” had a deceptively simple description and an enigmatic memory dump file. Here’s a detailed walkthrough of how Alex cracked this case wide open.

Step 1: Initial Reconnaissance

Upon downloading the provided dump.vmem file, Alex knew his primary tool for analysis would be Volatility, a robust memory forensics framework. To start, he wanted to identify any open files within the memory dump, hoping for a clue that could lead him to the elusive flag.

Command:

sudo vol -f dump.vmem windows.filescan | grep flag

Output:

WARNING  volatility3.framework.layers.vmware: No metadata file found alongside VMEM file. A VMSS or VMSN file may be required to correctly process a VMEM file. These should be placed in the same directory with the same file name, e.g. dump.vmem and dump.vmss.
0xc60c81c70ce0.0\Users\imaginarypc\Documents\flag.txt   216
0xc60c81c7c540  \Users\imaginarypc\AppData\Roaming\Microsoft\Windows\Recent\flag.lnk    216

The output revealed two interesting entries: a flag.txt file in the Documents folder and a flag.lnk in the Recent folder. The flag.txt file seemed like the most promising lead.

Alex quickly pointed out, “The Documents folder is a likely place for important files. Let’s focus on extracting the flag.txt file first."

Step 2: Extracting the Flag File

With the virtual address of the flag.txt file in hand, the next step was to extract its contents using Volatility's dumpfiles plugin.

Command:

sudo vol -f dump.vmem -o outputfile windows.dumpfiles --virtaddr 0xc60c81c70ce0

This command successfully extracted the file, which was saved as:

file.0xc60c81c70ce0.0xc60c83b5e650.DataSectionObject.flag.txt.dat

Alex leaned in as he examined the extracted file, eager to see what secrets it held.

Step 3: Decoding the Flag

A quick glance at the contents of the extracted file revealed a base64 encoded string.

Command:

cat file.0xc60c81c70ce0.0xc60c83b5e650.DataSectionObject.flag.txt.dat

Output:

aWN0ZnthYTBlYjcwN2E0MWIyY2E2fQ==

To decode this string, Alex used the base64 utility:

Command:

cat file.0xc60c81c70ce0.0xc60c83b5e650.DataSectionObject.flag.txt.dat | base64 -d

Output:

ictf{aa0eb707a41b2ca6}

And there it was — the flag, shining brightly at the end of Alex’s forensic journey.

Alex grinned, “Looks like I’ve done it again. Another challenge down!”

Conclusion

The “Crash” challenge was a fascinating dive into memory forensics, reminding Alex of the importance of meticulous analysis and the power of the right tools. Each step, from identifying open files to extracting and decoding the flag, was a testament to the methodical approach required in digital forensics. This challenge not only sharpened his skills but also reaffirmed his passion for uncovering hidden truths in the realm of cybersecurity.

Stay tuned for more thrilling tales from the CTF frontlines!