Memlabs Lab3 Writeup
Problem statement : A malicious script encrypted a very secret piece of information I had on my system. Can you recover the information for me please?
Solution : Using Volatility pslist we see two notepad processes running. Both process memories are dumped using memdump.
The plugin cmdline is then used to see last run commands. We see the commands associated with the notepad process ids are used to open files evilscript.py and vip.txt.
strings -e l ./3736.dmp | grep "import sys" -B 1 -A 20 is used to extract the python script form the memory dump.(import is the string used in grep as python script opening a file will need to import an additional module. 1 line before given string and 20 lines after given string are printed on the console.)
Grep is used on the second memory dump with the string “Lucida console”. we get the base64 string
The python script is extracted was
a = ‘’.join(chr(ord(i)³) for i in s)
if __name__ == “__main__”:
f = open(“C:\\Users\\hello\\Desktop\\vip.txt”, “w”)
arr = sys.argv
arr = encoder(xor(arr))
The script takes the content of vip.txt, xors it with the char 3 and encodes it in base64. Reversing this gives the first part of the flag.
For the second half, we use the filescan plugin to scan for .jpeg file
python vol.py -f /home/Downloads/nietzsche/MemoryDump_Lab3.raw — profile=Win7SP1x86 filescan | grep “.jpeg”
We extract the file using dumpfiles. Using steghide on the extracted picture with the first half as key gives the second half of the flag.