MemLabs: Lab 6 – The Reckoning (“Hard”)

29 June 2020

From "MemLabs is an educational, introductory set of CTF-styled challenges which is aimed to encourage students, security researchers and also CTF players to get started with the field of Memory Forensics."

I'm a beginner when it comes to memory forensics- over the last few months I've been learning from online guides and CTFs. Below is a step-by-step write-up of how I completed Lab 6.

Challenge Description: “Note: This challenge is composed of 1 flag. The flag format for this lab is: inctf{s0me_l33t_Str1ng}” 

I started by identifying which memory profile to use: 

volatility.exe -f MemoryDump_Lab6.raw imageinfo 

Which tells us that the suggested profiles are: 

Win7SP1x64, Win7SP0x64, Win2008R2SP0x64, Win2008R2SP1x64_24000, Win2008R2SP1x64_23418, Win2008R2SP1x64, Win7SP1x64_24000, Win7SP1x64_23418 

The cmdline command output indicates a file of interest: 

WinRAR.exe pid:   3716 

Command line : "C:\Program Files\WinRAR\WinRAR.exe" "C:\Users\Jaffa\Desktop\pr0t3ct3d\flag.rar" 

This file can be identified in the output of the filescan command: 

Offset(P)            #Ptr   #Hnd Access Name  

0x000000005fcfc4b0     16      0 R--rwd \Device\HarddiskVolume2\Users\Jaffa\Desktop\pr0t3ct3d\flag.rar 

And extracted using dumpfiles: 

volatility.exe -f MemoryDump_Lab6.raw --Profile=Win7SP1x64 dumpfilesD ./rar -Q 0x000000005fcfc4b0 -n 

It contains a password protected file “flag2.png”.  I ran various commands such as consoles, cmdscan etc to look for potential passwords and found what I was looking for in the output from envars: 

3316 firefox.exe          0x0000000000a21320 RAR password                  easypeasyvirus 

This opens “flag2.png” within “flag.rar” and shows the text “aN_Am4zINg_!_I_gU3Ss???_}”: 


I’ve found flag 2 before finding flag 1 again! All the notable processes from the output of the psxview command are web browsers which suggests that this is a good place to start looking for flag 1. 

Offset(P)          Name                    PID pslist psscan thrdproc pspcid csrss session deskthrd  

0x000000005d905b30 firefox.exe            2080 True   True   True     True   True  True    False 

0x000000005ded4380 chrome.exe             2940 True   True   True     True   True  True    False 

0x000000005e14fab0 chrome.exe             2168 True   True   True     True   True  True    False 

0x000000005fe63580 firefox.exe            3016 True   True   True     True   True  True    True 

0x000000005db4bb30 chrome.exe             2452 True   True   True     True   True  True    True 

0x000000005fc54b30 firefox.exe            3316 True   True   True     True   True  True    True 

0x000000005f1fa630 firefox.exe            2860 True   True   True     True   True  True    False 

0x000000005fc15b30 firefox.exe            2968 True   True   True     True   True  True    True 

0x000000005ef4eb30 chrome.exe             2124 True   True   True     True   True  True    False 

0x000000005def9a70 chrome.exe             2340 True   True   True     True   True  True    False 

I browsed through filescan.txt for browser data and used dumpfiles to extract relevant content. The Chrome history database was the first place I looked which luckily was correct: 

Offset(P)            #Ptr   #Hnd Access Name 

0x000000005da5a610     15      1 RW-rw- \Device\HarddiskVolume2\Users\Jaffa\AppData\Local\Google\Chrome\User Data\Default\History 

Within this database I noted the pastebin URL: 


I visited this link which contained the following text: 


The Google drive document contains latin sample text but scrolling through this I noticed another link: 


Visiting the link!SrxQxYTQ prompts me to enter a decryption key. Looking back at the pastebin contents I suspect this will need to be recovered from email. I ran Bulk Extractor and looked at the email.txt output. Keyword searching for “David” finds many instances of the address There are snippets of emails which refer to a key but they are too short to be useful. I take the email address and search within AXIOM and identify a carved Gmail fragment which contains the text "Mega Drive Key","3":"THE KEY IS zyWxCjCYYSEMA-hZe552qWVXiPwa5TecODbjnsscMIU". Using this key grants access to the Mega link and allows me to download “flag_.png”.  

I can’t get “Flag.png” to open in an image viewer. Looking at the hex I can see a PNG header and footer but everything I try to open it with errors. Most say something like “image type not supported” or “file may be corrupt” until I loaded it into CyberChef and received a more informative error “Expected IHDR on beginning": 


This puzzled me for a while since could see that IHDR was present: 


Eventually I realised that “i” and “I” aren’t the same. Fixing this in a hex editor allows the image to be opened and reveals the stage 1 flag “incft{thi5_cH4LL3Ng3_!s_g0nn4_b3_?_ 


Summary of flags:  

  • incft{thi5_cH4LL3Ng3_!s_g0nn4_b3_?_ 
  • aN_Am4zINg_!_I_gU3Ss???_}

Popular posts from this blog

Parsing iOS Camera Roll using Python