Writeups Forensics-polls.io

memDump

Arrangement:

Hi , this test was hard and its got just 2 explains during the CTF

The Hint was exceptionally obvious to show that this memory Dump is Linux not windows

Specify the memory

utilizing strings and grep for “BOOT_IMAGE” we can get the part form “4.15.0-45-nonexclusive”

contingent upon the clue by grep “Linux adaptation” we can get the specific ubuntu rendition “16.04.10”

the irritation approach to fabricate the profile is manufacture it from a similar memory framework , so lets download this framework and plan it as VM

Changing to Ubuntu

first lets download the significant bundles to construct the profile “dwarfdump” , “fabricate basic”

utilizing unpredictability we can manufacture the module.dwarf record

presently lets pack the module.dwarf and the framework map , the profile is prepared at this point

Back to kali

presently we will move the compress record to profiles index

in view of the test portrayal we can realize that the program information is the proposed approach to unravel this test , after grep “.mozilla” we can see the dbs and documents that spared the accreditations of logins

another way we can check the linux_bash modules and history of slam

presently we will dump the keys.zip record which contain the “cert9.db” , “key4.db” , “logins.json”

by perusing the logins.json we will discover encoded certifications for picoctf which is ctf site . Lets unscramble them

we can utilize firefox_decrypt device to get the banner CTCTF{S4ve_Y0ur_Cr3ds_1n_Y0ur_H34d}

Leave a Reply

Your email address will not be published. Required fields are marked *