Solving the “Crash” Forensics Challenge on Imaginary CTF 2024
In the thrilling world of Capture The Flag (CTF) competitions, there’s always a unique blend of excitement and mystery. One such intriguing challenge was tackled by Alex, a active CTF player, during Imaginary CTF 2024. The forensics puzzle named “Crash” had a deceptively simple description and an enigmatic memory dump file. Here’s a detailed walkthrough of how Alex cracked this case wide open.
Step 1: Initial Reconnaissance
Upon downloading the provided dump.vmem
file, Alex knew his primary tool for analysis would be Volatility, a robust memory forensics framework. To start, he wanted to identify any open files within the memory dump, hoping for a clue that could lead him to the elusive flag.
Command:
sudo vol -f dump.vmem windows.filescan | grep flag
Output:
WARNING volatility3.framework.layers.vmware: No metadata file found alongside VMEM file. A VMSS or VMSN file may be required to correctly process a VMEM file. These should be placed in the same directory with the same file name, e.g. dump.vmem and dump.vmss.
0xc60c81c70ce0.0\Users\imaginarypc\Documents\flag.txt 216
0xc60c81c7c540 \Users\imaginarypc\AppData\Roaming\Microsoft\Windows\Recent\flag.lnk 216
The output revealed two interesting entries: a flag.txt
file in the Documents folder and a flag.lnk
in the Recent folder. The flag.txt
file seemed like the most promising lead.
Alex quickly pointed out, “The Documents folder is a likely place for important files. Let’s focus on extracting the flag.txt
file first."
Step 2: Extracting the Flag File
With the virtual address of the flag.txt
file in hand, the next step was to extract its contents using Volatility's dumpfiles
plugin.
Command:
sudo vol -f dump.vmem -o outputfile windows.dumpfiles --virtaddr 0xc60c81c70ce0
This command successfully extracted the file, which was saved as:
file.0xc60c81c70ce0.0xc60c83b5e650.DataSectionObject.flag.txt.dat
Alex leaned in as he examined the extracted file, eager to see what secrets it held.
Step 3: Decoding the Flag
A quick glance at the contents of the extracted file revealed a base64 encoded string.
Command:
cat file.0xc60c81c70ce0.0xc60c83b5e650.DataSectionObject.flag.txt.dat
Output:
aWN0ZnthYTBlYjcwN2E0MWIyY2E2fQ==
To decode this string, Alex used the base64 utility:
Command:
cat file.0xc60c81c70ce0.0xc60c83b5e650.DataSectionObject.flag.txt.dat | base64 -d
Output:
ictf{aa0eb707a41b2ca6}
And there it was — the flag, shining brightly at the end of Alex’s forensic journey.
Alex grinned, “Looks like I’ve done it again. Another challenge down!”
Conclusion
The “Crash” challenge was a fascinating dive into memory forensics, reminding Alex of the importance of meticulous analysis and the power of the right tools. Each step, from identifying open files to extracting and decoding the flag, was a testament to the methodical approach required in digital forensics. This challenge not only sharpened his skills but also reaffirmed his passion for uncovering hidden truths in the realm of cybersecurity.
Stay tuned for more thrilling tales from the CTF frontlines!