Nahamcon 2021


  • first we need to find the profile for this memory dump
volatility imageinfo -f image.bin

profile is Win7SP1x86_23418

  • now the challenge states that the files were lost in a system crash, so we need to look for files
volatility filescan -f image.bin --profile Win7SP1x86_23418
  • this provides a long list of files, but we know in windows people work in desktop most of the time so after inspecting desktop path we can see this file path
0x000000007e841f80      8      0 RW-r-- \Device\HarddiskVolume1\Users\IEUser\Desktop\CONFIDENTIAL DOCUMENT.docx
  • now we can try and dump this file
volatility -f image.bin --profile Win7SP1x86_23418 dumpfiles -Q 0x000000007e841f80 --dump-dir .
  • using file command we can see the file format and rename appropriately but the file is corrupt, remember system crash?

  • but docx files can be extracted like a zip with unzip command

  • after extracting we get these files/dirs

drwxr-xr-x 5 twh users 4096 Mar 14 13:54  .
drwxr-xr-x 3 twh users 4096 Mar 14 13:54  ..
-rw-r--r-- 1 twh users 1422 Jan  1  1980 '[Content_Types].xml'
drwxr-xr-x 2 twh users 4096 Mar 14 13:53  docProps
drwxr-xr-x 2 twh users 4096 Mar 14 13:53  _rels
drwxr-xr-x 4 twh users 4096 Mar 14 13:53  word
  • inside word we have a file named document.xml

  • open this file in browser and flag is in plain text :D

Published on : 15 Mar 2021