## Challenge Description
This challenge is composed of 2 flags but do you really think so? Maybe a little flag is hiding somewhere.
Note: There was a small mistake when making this challenge. If you find any string which has the string βL4B_3_D0n3*!!**β in it, please change it to βL4B_5_D0n3*!!**β and then proceed.
Hint: Youβll get the stage 2 flag only when you have the stage 1 flag.
Challenge file: MemLabs_Lab5
First we need to identify the operating system of the memory image.
1
2
$ volatility -f MemoryDump_Lab5.raw imageinfo
Next, letβs check the processes list.
1
2
$ volatility -f MemoryDump_Lab5.raw --profile Win7SP1x64 pslist
Interesting, thereβs a WinRAR.exe process, letβs see what the cmdline for that process is.
1
2
3
4
5
$ volatility -f MemoryDump_Lab5.raw --profile Win7SP1x64 cmdline | grep WinRAR.exe
Volatility Foundation Volatility Framework 2.6.1
WinRAR.exe pid: 2924
Command line : "C:\Program Files\WinRAR\WinRAR.exe" "C:\Users\SmartNet\Documents\SW1wb3J0YW50.rar"
The rar file name is SW1wb3J0YW50.rar, letβs dump this file.
1
2
3
4
5
6
7
8
$ volatility -f MemoryDump_Lab5.raw --profile Win7SP1x64 filescan | grep SW1wb3J0YW50.rar
Volatility Foundation Volatility Framework 2.6.1
0x000000003eed56f0 1 0 R--r-- \Device\HarddiskVolume2\Users\SmartNet\Documents\SW1wb3J0YW50.rar
$ volatility -f MemoryDump_Lab5.raw --profile Win7SP1x64 dumpfiles -Q 0x000000003eed56f0 -D lab5_output/
Volatility Foundation Volatility Framework 2.6.1
DataSectionObject 0x3eed56f0 None \Device\HarddiskVolume2\Users\SmartNet\Documents\SW1wb3J0YW50.rar
Going ahead to unrar this file and I saw this comment.
1
2
3
4
5
$ unrar e SW1wb3J0YW50.rar
UNRAR 5.61 beta 1 freeware Copyright (c) 1993-2018 Alexander Roshal
Extracting from SW1wb3J0YW50.rar
Enter password (will not be echoed) for Stage2.png:
Clearly this is stage2βs flag and the password for this file is stage1βs flag, so we need to get stage1βs flag first.
At this point I had no clue of what to do, so I tried my luck with iehistory (I explained it in the previous lab) and I notices something interesting.
1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
$ volatility -f MemoryDump_Lab5.raw --profile Win7SP1x64 iehistory
.........
Process: 1396 explorer.exe
Cache type "URL " at 0x28c5900
Record length: 0x100
Location: Visited: Alissa Simpson@file:///C:/Users/Alissa%20Simpson/Pictures/ZmxhZ3shIV93M0xMX2QwbjNfU3Q0ZzMtMV8wZl9MNEJfM19EMG4zXyEhfQ.bmp
.........
Process: 1396 explorer.exe
Cache type "URL " at 0x28c5a00
Record length: 0x100
Location: Visited: Alissa Simpson@file:///C:/Users/Alissa%20Simpson/Pictures/ZmxhZ3shIV93M0xMX2QwbjNfU3Q0ZzMtMV8wZl9MNEJfNV9EMG4zXyEhfQ.bmp
.........
Process: 1396 explorer.exe
Cache type "URL " at 0x28c5c00
Record length: 0x100
Location: Visited: Alissa Simpson@file:///C:/Windows/AppPatch/ZmxhZ3shIV93M0xMX2QwbjNfU3Q0ZzMtMV8wZl9MNEJfNV9EMG4zXyEhfQ.bmp
This .bmp file is repeated multiple times and itβs names looks like Base64 string, so I tries to decode it.
1
2
3
$ echo ZmxhZ3shIV93M0xMX2QwbjNfU3Q0ZzMtMV8wZl9MNEJfNV9EMG4zXyEhfQ | base64 -d
flag{!!_w3LL_d0n3_St4g3-1_0f_L4B_5_D0n3_!!}
Voila! we got the flag of stage1.
Flag 1: flag{!!w3LL_d0n3_St4g3-1_0f_L4B_5_D0n3!!}
Now letβs return back to the rar file.
1
2
3
4
5
6
7
$ unrar e SW1wb3J0YW50.rar
UNRAR 5.61 beta 1 freeware Copyright (c) 1993-2018 Alexander Roshal
Extracting from SW1wb3J0YW50.rar
Enter password (will not be echoed) for Stage2.png:
Extracting Stage2.png OK
All OK
As I said before, the password is stage1βs flag.
Flag 2: flag{W1th_th1s_$taGe_21s_c0mPL3T3!!}
