InCTF Quals 2018 Hard-To-Get WriteUp

I had a lot of fun organizing this CTF. Just too much excitement. Many people have requested me to put out a write-up for the challenge which had only 4 solves in the end. So I’ll be writing a short write-up.

Challenge Description:

So from the challenge, one can pretty much discover that the user was “surfing the web and downloaded a mysterious file”.

So, it is very clear what we should look for. We have to go through the browser history of the system and get the file. Recently, for the volatility plugin contests, there was a plugin published. It was the chrome plugin. It is a very powerful plugin which helps to analyze various data related to the chrome browser. In this case, we are going to use the chromehistory plugin.

So let us have a look at the links that the user visited.


In that, at the bottom, we find a “” link.


so let us to that link. We find that we are given the hexdump of a zip file. So we reconstruct it and find that it is password protected. So how do we crack it? Let us delve more into the memory dump.

Using the envars plugin, we find strange environment variables. “The Last Part” & “The Hacker”

Screenshot from 2018-12-07 23-30-58.png

Decoding the value(which is in hex) of “The Final Part”, we get the 2nd part of the flag.

Now let us decode the NTLM hash of the user which gives us inctfiseasy.

So this is the password to the zip file. Yes, it is. We find the hexdump of a GIF file inside. Let us reconstruct it. Let us separate all the frames inside it. Doing so, we get the following image.


So the first part is: inctf{w3lcom3_t0_

The second part is: my_w0rld_0f_m3m0rY}

Let us now concatenate them.

FLAG: inctf{w3lcom3_t0_my_w0rld_0f_m3m0rY}

Happy Hacking!! Please give me your feedback. Please like and share!

One thought on “InCTF Quals 2018 Hard-To-Get WriteUp

Add yours

Leave a Reply

Fill in your details below or click an icon to log in: Logo

You are commenting using your account. Log Out /  Change )

Google photo

You are commenting using your Google account. Log Out /  Change )

Twitter picture

You are commenting using your Twitter account. Log Out /  Change )

Facebook photo

You are commenting using your Facebook account. Log Out /  Change )

Connecting to %s

Powered by

Up ↑

Create your website at
Get started
%d bloggers like this: