Securinets CTF 2019 – Contact Me Challenge Writeup

Hello everyone,

It has been a really long time since I last posted a writeup. So this was a challenge I solved a long time ago in the securinets CTF 2019. It is a fairly easy challenge but the good thing about this is that there are very few memory forensics challenges that we get & the majority of them are of the Windows7/XP environment. Interestingly this is from MacOS.

So let’s get on with the challenge now.

Challenge Description

People think it’s hard to stay without a phone, but I don’t! My computer has everything a smartphone has like browsers, notes, calendars, and a lot more.

You can download the challenge file here: Mega Drive

Challenge Solution

So the first question that comes to mind is how did I find out that it was a MAC image?
Simple. the imageinfo plugin did not work. Haha

Now let us get the profile of the memory dump.

$ python -f ../contact_me mac_get_profile

Screenshot from 2019-08-24 11-44-18

Okay, so the profile is MacSierra_10_12_6_16G23ax64.

There is a reason I call this challenge very easy since the name of the challenge hints out the plugin that I must be using to probably get the flag & one such relevant plugin that I found was the mac_contacts plugin.

Let us use that plugin.

$ python --profile=MacSierra_10_12_6_16G23ax64 -f ../contact_me mac_contacts
Screenshot from 2019-08-24 11-45-49

If you are able to see, I have highlighted a certain text which looks like a base64 string and boy was I correct!

Screenshot from 2019-08-24 11-46-23

Voila! We got the flag.

FLAG: securinets{31012e16c3e5dfa7e673612d7d075715}

I hope to write some more amazing content on mac memory forensics very soon. So, stay tuned!

If you liked the post, please do like & share.


Leave a Reply

Fill in your details below or click an icon to log in: Logo

You are commenting using your account. Log Out /  Change )

Google photo

You are commenting using your Google account. Log Out /  Change )

Twitter picture

You are commenting using your Twitter account. Log Out /  Change )

Facebook photo

You are commenting using your Facebook account. Log Out /  Change )

Connecting to %s

Website Powered by

Up ↑

Create your website with
Get started
%d bloggers like this: