SEC-T CTF 2018 Batou Challenge WriteUp

So this is a  challenge which I solved in SECT CTF 2018. This challenge requires the use of tools called volatility and its plugins. Please feel free to read my blog on volatility here.

Challenge file can be downloaded from here.

The description was:

“We managed to collect a dump from Bataou’s computer. Try to find info/notes that can help us”.

So it was pretty clear. There were 2 possibilities.

  1. Writing in the NOTEPAD
  2. Writing in the Command Prompt.

Luckily, I didn’t even try about the second option.

So let us look into the challenge. Well, the first step was using the imageinfo plugin.

Screenshot from 2018-09-23 22-51-45

So as I previously tried out challenges from last year’s SEC-T, I chose the profile Win20008SP1x64. That was just my instinct. Hehe.

So what’s next, I had a clue regarding the use of notepad but who knows, I could be wrong. So my next step was using the pslist plugin.

Screenshot from 2018-09-23 23-12-12

So there are no other suspicious processes and we already predicted the use of notepad which is present. So looks like we are on the right track.

So next we proceed to extract the content which was written on the notepad. So we have the filescan plugin to help us.

screenshot-from-2018-09-23-23-04-13.png

So when I filtered for the “notepad”, I noticed there are 2 suspicious files which are highlighted in the picture above. So how about extracting them.

Let me extract the second one first.

Screenshot from 2018-09-23 23-05-13

So I extracted the second file using the dumpfiles plugin. But when I try to see the content inside it, it has “empty” written inside it. No luck here folks. Let’s try to extract the first one now.

Screenshot from 2018-09-23 23-06-04

Oh, shoot!! When I try to see the content inside it, it shows some text which is hex encoded. What do I get if I decode this  534543547b346c6c5f796f75725f4e307433735f3472335f62336c306e675f74305f75357d

So I used ipython to decode the hex string and Woah!! I got the flag.

Screenshot from 2018-09-23 23-27-38

The flag is: SECT{4ll_your_N0t3s_4r3_b3l0ng_t0_u5}.

Happy Hacking!!

Advertisements

2 thoughts on “SEC-T CTF 2018 Batou Challenge WriteUp

Add yours

  1. hi !
    Recently I start to learn how to use volatility to do memory forensics . I found it is a very interesting tools

    I search some task on ctftime to have a good command of it.But for some reasons , some files’ download link has been expired

    if it is convenient for u , could u provide the download link for this task ?

    Thanks a lot.

    ShaoBao
    2018-10-14

    Like

Leave a Reply

Fill in your details below or click an icon to log in:

WordPress.com Logo

You are commenting using your WordPress.com account. Log Out /  Change )

Google+ photo

You are commenting using your Google+ account. Log Out /  Change )

Twitter picture

You are commenting using your Twitter account. Log Out /  Change )

Facebook photo

You are commenting using your Facebook account. Log Out /  Change )

Connecting to %s

Powered by WordPress.com.

Up ↑

Create your website at WordPress.com
Get started
%d bloggers like this: