Skip to content

Intigriti 1337UP CTF 2024: Hoarded Flag

TL;DR

  • Challenge provides a Windows memory dump.
  • Volatility cmdline scan reveals a 7z command with password.
  • Encrypted flag archive located via filescan.
  • Archive dumped from memory and decrypted using recovered password.
  • Flag extracted from the archive.

Challenge Description

My friend said they are going to make an insane new crypto challenge and I have to solve it but.. I hate crypto 😭

I saw them making a flag but didn't catch the text. When they left room I tried to open the file but they password protected it?! I can't believe they wouldn't trust me around their computer like that!! 😤

Anyway, I figured I'd take a snapshot to have a better look later.. Maybe you can help?

Solution

It's a memory dump, so we can analyse with volatility

Iterate through each of the plugins, looking for useful info. One of those plugins checks the cmdline and reveals some interesting command.

python vol.py -f memory_dump.raw windows.cmdscan

** 1032 conhost.exe 0x23442febbf0   _COMMAND_HISTORY.CommandBucket_Command_1    0x2344310e0e0   7z a -pScaredToDeathScaredToLook1312 -mhe flag.7z flag.zip

So, 7z was used to encrypt a flag using the password ScaredToDeathScaredToLook1312 🤔

Search for these files with the filescan plugin.

python vol.py -f memory_dump.raw windows.filescan | grep flag

0xb20dbd74d5f0.0\Users\cat\Desktop\flag.zip
0xb20dbd74e720  \Users\cat\Desktop\flag.7z

Download one of those (password for both is the same)

python vol.py -f memory_dump.raw windows.dumpfiles.DumpFiles --virtaddr 0xb20dbd74e720

Finally, extract the flag: 7z x flag.zip

Flag: INTIGRITI{7h3_m3m0ry_h0ld5_7h3_53cr375}