Lab 1 - Beginner's Luck
Link to the lab : Lab 1 - Beginner's Luck
Challenge description
My sister's computer crashed. We were very fortunate to recover this memory dump. Your job is get all her important files from the system. From what we remember, we suddenly saw a black window pop up with some thing being executed. When the crash happened, she was trying to draw something. Thats all we remember from the time of crash.
Note: This challenge is composed of 3 flags.
Solution
Initial thoughts
First, let us list down the important points from the description.
We have to get important files from the system
They saw a black window pop up and execute something (this might be command prompt)
The person was trying to draw something (drawing application might be opened)
Profile
As I mentioned I'll be using Vol2, so first we have to get the profile of the memory image.
We can use "Win7SP1x64" as the profile for the memory image.
Process list
A good place to start is by listing all the processes that were running at the time of memory capture.
Use
psscan
to view the processes that are hidden too.From the output, we can see some obvious processes that would be of interest to us (revisit the initial thoughts to see why are they of interest).
They are cmd.exe, mspaint.exe, WinRAR.exe. Make a note of their PIDs.
If you find or don't know about any other processes, just google their name to see their purpose.
DumpIT.exe is another unknown process which might have been used to capture the memory.
Command Prompt
Let's pick one process and investigate it further. Let's look at the command line to know what was executed.
consoles
shows the command typed as well as the I/O buffer.From the output we can see that "St4G3$1" is run and a string is output to the consol.
The the look of it we can see that it is a base64 string because it contains 'a-z' and is padded with '='
By decoding the base64 string, we got the first flag.
flag{th1s_1s_th3_1st_st4g3!!}
MS Paint
Let's examine the memory of mspaint.exe to examine further.
Now we have dumped the memory of mspaint.exe to the output directory we specified.
Upon researching how to view the content of MS Paint after dumping, found that we should change the extension of the dump from ".dmp" to ".data" and open it with GIMP (GNU Image Manipulation Program).
Last updated