Memlabs Lab3 Writeup

Problem statement : A malicious script encrypted a very secret piece of information I had on my system. Can you recover the information for me please?

Solution : Using Volatility pslist we see two notepad processes running. Both process memories are dumped using memdump.

The plugin cmdline is then used to see last run commands. We see the commands associated with the notepad process ids are used to open files evilscript.py and vip.txt.

The command strings -e l ./3736.dmp | grep "import sys" -B 1 -A 20 is used to extract the python script form the memory dump.(import is the string used in grep as python script opening a file will need to import an additional module. 1 line before given string and 20 lines after given string are printed on the console.)

Grep is used on the second memory dump with the string “Lucida console”. we get the base64 string

am1gd2V4M20wXGs3b2U=

The python script is extracted was

import string
 def xor(s):
 a = ‘’.join(chr(ord(i)³) for i in s)
 return a
def encoder(x):
 return x.encode(“base64”)
if __name__ == “__main__”:
 f = open(“C:\\Users\\hello\\Desktop\\vip.txt”, “w”)
 arr = sys.argv[1]
 arr = encoder(xor(arr))
 f.write(arr)
 f.close()

The script takes the content of vip.txt, xors it with the char 3 and encodes it in base64. Reversing this gives the first part of the flag.

inctf{0n3_h4lf

For the second half, we use the filescan plugin to scan for .jpeg file

python vol.py -f /home/Downloads/nietzsche/MemoryDump_Lab3.raw — profile=Win7SP1x86 filescan | grep “.jpeg”

We extract the file using dumpfiles. Using steghide on the extracted picture with the first half as key gives the second half of the flag.

_1s_n0t_3n0ugh}