This was one of the better memory forensics challenges that I tried and solved. There was not much of a big depth in this challenge but however, it tries to teach you the basic plugins of volatility.
Though the writeup may look very clean and straight-forward, I was at sixes and sevens while trying out this challenge. So let us begin
“Agent Gill called, we have until tomorrow at 15:00 UTC to fix some virus problem.”
The challenge description doesn’t give out any clues. So let us try to dig into the challenge file.
My first bet was to try out the pslist and the psscan plugins but there was nothing suspicious there. Eventually, I began the tiresome process of using the filescan plugin.
Though filescan is an extremely useful plugin, the hitch is in using the right filter to get the desired view of the files as the general output is very large. When I used the plugin without any filters, I noticed that there were two users: acidburn and plauge.
So I decided to apply every filter I could possibly think of and like anybody, I tried Desktop as the filter. Looking through the files present in the desktop, I found a rather suspicious file called g4rb4g3.txt. So I dumped the file and looked at its contents.
Looks like the flag is in 2 parts for this challenge. Maybe this is the first half and it has been reversed. And again I was searching for some files using the filescan plugin when I accidentally stumbled upon a bat file. So I tried to search for something suspicious in that and Voila!!
We see a very suspicious file called hack.bat. Let us dump this file and see its contents.
We see a suspicious file called gibson. I thought to search for this file in the memory dump and if the file was present in the dump, try to recover and examine its contents.
Luckily the file was available as “gibson.jpg” in the memory dump. So I recovered it and its contents were encoded in base64.
I knew that decoded bytes belonged to a certain file, so I ran the file command.
So yeah! It was a zip file. Let us try to extract its contents. We get three files from the zip:
Let us try to look at the contents of all these files. “run.ps1” did not hold anything suspicious so I’m cutting it out.
Hmm…The directory T3MP looks suspicious, doesn’t it? So we are on the right track! Okay, moving on.
So Yeah!! Looks like we got the 2 halves of the flag. Let us reverse them and concatenate and see what we get. Looks like it was rot13 so let us decode this.
And that is how we solved this challenge!!