It's the final week of the Magnet Weekly CTF Challenge. The past 12 weeks have been fun, learning Android, Linux, and Windows memory forensics along the way. Many thanks to the great team at Magnet Forensics and their guests for the weekly challenges. Without further ado, let's get to the final challenge for the year!
Challenge 12 (Dec. 21-28)
What is the PID of the application where you might learn "how hackers hack, and how to stop them"?
Format: #### Warning: Only 1 attempt allowed!
Phew, the first part of the final challenge and we are only given a single attempt! While I did get a likely answer fairly quickly, attempting to verify the answer took much longer.
The first step was similar to part 6 of week 9's challenge, where I searched for the string "how hackers hack, and how to stop them" in the memory image using the strings
command, followed by the strings
plugin in volatility to locate the corresponding process where the string was found.
With the Volatility strings
plugin, there were some entries which were in unallocated memory, leaving only one valid process which was confirmed to belong to Internet Explorer with the pslist
plugin. However as we only had one attempt, I wanted to be sure of the owning process before submission. As the strings search showed, the results appeared to be part of a HTML page so I dumped all the files for the Internet Explorer process using dumpfiles
plugin and confirmed the answer as part of the video search results in the cached 'search[1].htm' page.
Answer: 4480
Challenge 12 (Dec. 21-28) Part 2
What is the product version of the application from Part 1?
Format: XX.XX.XXXX.XXXXX
Using the procdump
plugin and running the dumped executable through exiftool
, we find the product version in the format requested.
Answer: 11.00.9600.18858
And that wraps up the Magnet Weekly CTF Challenge for 2020. Looking forward to more CTFs next year!
No comments:
Post a Comment