CTF WriteupsJoepardy

CipherTextCTF v2 Writeups Forensics



Hello there , this challenge was hard and its got only 2 solves during the CTF

The Hint was very clear to show that this memory Dump is Linux not windows

Enumerate the memory

using strings and grep for “BOOT_IMAGE” we can get the kernel version “4.15.0-45-generic”

depending on the hint by grep “Linux version” we can get the exact ubuntu version “16.04.10”

the pest way to build the profile is build it from the same memory system , so lets download this system and prepare it as VM 😀

Switching to Ubuntu

first lets download the important packages to build the profile “dwarfdump” , “build-essential”

using volatility we can build the module.dwarf file

now lets compress the module.dwarf and the system map , the profile is ready now 😀

Back to kali

now we will move the zip file to profiles directory

based on the challenge description we can know that the browser data is the intended way to solve this challenge , after grep “.mozilla” we can see the dbs and files that saved the credentials of logins

another way we can check the linux_bash plugins and history of bash 😀

now we will dump the keys.zip file which contain the “cert9.db” , “key4.db” , “logins.json”

by reading the logins.json we will find encrypted credentials for picoctf which is ctf website . Lets decrypt them

we can use firefox_decrypt tool to get the flag CTCTF{S4ve_Y0ur_Cr3ds_1n_Y0ur_H34d}

Related Articles

Leave a Reply

Your email address will not be published. Required fields are marked *

Back to top button