This was probably the easiest memory forensics challenge that I ever attempted. Sadly I could not get the first blood in this as I had to leave for dinner 😛

Challenge Description

Screenshot from 2019-07-01 18-48-52

The description does not provide anything, so let us look at the file 🙂

Link to challenge file: Mega Link


Okay, let us take a look at the challenge file. It is a WindowsXP memory dump.

Hmm, let me see the command history using the cmdscan plugin

Screenshot from 2019-07-02 12-07-19
Hmm, they created a directory with the name “hu5ky_4nd_f0r3n51c”

Okay, let us have a look what files are present in the above-mentioned directory/folder.

Screenshot from 2019-07-02 12-13-17
Hmm, the file present in the folder is “f149999”

Next step is quite predictable, dump the file. Simple,

$ volatility -f husky_memory.raw --profile=WinXPSP2x86 dumpfiles -Q 0x0000000002c5dd18 -D .

Let us analyze what file is this. Let us open it in a hex editor

Screenshot from 2019-07-02 12-17-32
As you can see it is reversed RAR archive. Just reverse the bytes to get the proper archive.

So after correcting the archive, we see that it is a locked archive. Hmm, have to search for the password. Luckily I guessed that the folder-name was in l33t, so it could be the password. Voila, and we got the flag.



Leave a Reply

Fill in your details below or click an icon to log in: Logo

You are commenting using your account. Log Out /  Change )

Google photo

You are commenting using your Google account. Log Out /  Change )

Twitter picture

You are commenting using your Twitter account. Log Out /  Change )

Facebook photo

You are commenting using your Facebook account. Log Out /  Change )

Connecting to %s

Website Powered by

Up ↑

Create your website at
Get started
%d bloggers like this: