SEC-T CTF’17 G1bs0n WriteUp

This was one of the better memory forensics challenges that I tried and solved. There was not much of a big depth in this challenge but however, it tries to teach you the basic plugins of volatility.

Though the writeup may look very clean and straight-forward, I was at sixes and sevens while trying out this challenge. So let us begin


“Agent Gill called, we have until tomorrow at 15:00 UTC to fix some virus problem.”

The challenge description doesn’t give out any clues. So let us try to dig into the challenge file.

My first bet was to try out the pslist and the psscan plugins but there was nothing suspicious there. Eventually, I began the tiresome process of using the filescan plugin.

Though filescan is an extremely useful plugin, the hitch is in using the right filter to get the desired view of the files as the general output is very large. When I used the plugin without any filters, I noticed that there were two users: acidburn and plauge.

So I decided to apply every filter I could possibly think of and like anybody, I tried Desktop as the filter. Looking through the files present in the desktop, I found a rather suspicious file called g4rb4g3.txt. So I dumped the file and looked at its contents.

Screenshot from 2019-02-11 18-27-00

Looks like the flag is in 2 parts for this challenge. Maybe this is the first half and it has been reversed. And again I was searching for some files using the filescan plugin when I accidentally stumbled upon a bat file. So I tried to search for something suspicious in that and Voila!!


We see a very suspicious file called hack.bat. Let us dump this file and see its contents.

Screenshot from 2019-02-11 18-03-06

We see a suspicious file called gibson. I thought to search for this file in the memory dump and if the file was present in the dump, try to recover and examine its contents.

Luckily the file was available as “gibson.jpg” in the memory dump. So I recovered it and its contents were encoded in base64.


I knew that decoded bytes belonged to a certain file, so I ran the file command.

Screenshot from 2019-02-11 18-08-34

So yeah! It was a zip file. Let us try to extract its contents. We get three files from the zip:

  1. run.bat
  2. run.ps1
  3. run.reg

Let us try to look at the contents of all these files. “run.ps1” did not hold anything suspicious so I’m cutting it out.

Screenshot from 2019-02-11 18-13-02

Hmm…The directory T3MP looks suspicious, doesn’t it? So we are on the right track! Okay, moving on.

Screenshot from 2019-02-11 18-13-17
The contents of the run.reg file

So Yeah!! Looks like we got the 2 halves of the flag. Let us reverse them and concatenate and see what we get. Looks like it was rot13 so let us decode this.

Screenshot from 2019-02-11 18-34-15

And that is how we solved this challenge!!


Leave a Reply

Fill in your details below or click an icon to log in: Logo

You are commenting using your account. Log Out /  Change )

Google photo

You are commenting using your Google account. Log Out /  Change )

Twitter picture

You are commenting using your Twitter account. Log Out /  Change )

Facebook photo

You are commenting using your Facebook account. Log Out /  Change )

Connecting to %s

Website Powered by

Up ↑

Create your website with
Get started
%d bloggers like this: