| Lab | Challenge link | difficulty | Writeup link |
|---|---|---|---|
| Lab 1 | Beginner’s Luck | Easy | Lab 1 |
| Lab 2 | A New World | Easy | Lab 2 |
| Lab 3 | The Evil’s Den | Easy - Medium | Lab 3 |
| Lab 4 | Obsession | Medium | Lab 4 |
| Lab 5 | Black Tuesday | Medium - Hard | Lab 5 |
| Lab 6 | The Reckoning | Hard | Lab 6 |
Challenge description
My system was recently compromised. The Hacker stole a lot of information but he also deleted a very
important file of mine. I have no idea on how to recover it. The only evidence we have,
at this point of time is this memory dump. Please help me.
- Note: This challenge is composed of only 1 flag.
- The flag format for this lab is: inctf{s0me_l33t_Str1ng}
Writeup
I started thinking it’s hard but the description helped me alot espically
"deleted a very important file of mine"
so i will use file scan and mft parser but let’s check the profile first
./volatility.exe -f MemoryDump_Lab4.raw imageinfo
so it’s “Win7SP1x64”
doing file scan and greping text files there was 1 named “Important.txt”
./volatility.exe -f MemoryDump_Lab4.raw --profile=Win7SP1x64 filescan |grep ".txt"
so i tried to dump it
./volatility.exe -f MemoryDump_Lab4.raw --profile=Win7SP1x64 dumpfiles -Q 0x000000003fc398d0 -D .
but nothing happend so i tried mftparser and greped the file name
./volatility.exe -f MemoryDump_Lab4.raw --profile=Win7SP1x64 mftparser | grep -C 20 Important.txt
yup it was easy as i expected
and like that i got the flag
inctf{1_is_n0t_EQu4l_7o_2_bUt_th1s_d0s3nt_m4ke_s3ns3}