πŸ‘¨β€πŸ’»
CTFs
HomePlaygroundOSCPBuy Me a Flag 🚩
  • 🚩Zeyu's CTF Writeups
  • Home
  • Playground
  • OSCP
  • My Challenges
    • SEETF 2023
    • The InfoSecurity Challenge 2022
    • SEETF 2022
    • Cyber League Major 1
    • STANDCON CTF 2021
      • Space Station
      • Star Cereal
      • Star Cereal 2
      • Mission Control
      • Rocket Science
      • Space University of Interior Design
      • Rocket Ship Academy
      • Space Noise
  • 2023
    • DEF CON CTF 2023 Qualifiers
    • hxp CTF
      • true_web_assembly
    • HackTM CTF Qualifiers
      • Crocodilu
      • secrets
      • Hades
  • 2022
    • niteCTF 2022
      • Undocumented js-api
      • js-api
    • STACK the Flags 2022
      • Secret of Meow Olympurr
      • The Blacksmith
      • GutHib Actions
      • Electrogrid
      • BeautyCare
    • LakeCTF Qualifiers
      • People
      • Clob-Mate
      • So What? Revenge
    • The InfoSecurity Challenge 2022
      • Level 1 - Slay The Dragon
      • Level 2 - Leaky Matrices
      • Level 3 - PATIENT0
      • Level 4B - CloudyNekos
      • Level 5B - PALINDROME's Secret (Author Writeup)
    • BalsnCTF 2022
      • 2linenodejs
      • Health Check
    • BSidesTLV 2022 CTF
      • Smuggler
      • Wild DevTools
      • Tropical API
    • Grey Cat The Flag 2022
    • DEF CON CTF 2022 Qualifiers
    • Securinets CTF Finals 2022
      • StrUggLe
      • XwaSS ftw?
      • Strong
      • Artist
    • NahamCon CTF 2022
      • Flaskmetal Alchemist
      • Hacker TS
      • Two For One
      • Deafcon
      • OTP Vault
      • Click Me
      • Geezip
      • Ostrich
      • No Space Between Us
    • Securinets CTF Quals 2022
      • Document-Converter
      • PlanetSheet
      • NarutoKeeper
    • CTF.SG CTF
      • Asuna Waffles
      • Senpai
      • We know this all too well
      • Don't Touch My Flag
      • Wildest Dreams Part 2
      • Chopsticks
    • YaCTF 2022
      • Shiba
      • Flag Market
      • Pasteless
      • Secretive
      • MetaPDF
      • Crackme
    • DiceCTF 2022
      • knock-knock
      • blazingfast
    • TetCTF 2022
      • 2X-Service
      • Animals
      • Ezflag Level 1
  • 2021
    • hxp CTF 2021
    • HTX Investigator's Challenge 2021
    • Metasploit Community CTF
    • MetaCTF CyberGames
      • Look, if you had one shot
      • Custom Blog
      • Yummy Vegetables
      • Ransomware Patch
      • I Hate Python
      • Interception
    • CyberSecurityRumble CTF
      • Lukas App
      • Finance Calculat0r 2021
      • Personal Encryptor with Nonbreakable Inforation-theoretic Security
      • Enterprice File Sharing
      • Payback
      • Stonks Street Journal
    • The InfoSecurity Challenge (TISC) 2021
      • Level 4 - The Magician's Den
      • Level 3 - Needle in a Greystack
      • Level 2 - Dee Na Saw as a need
      • Level 1 - Scratching the Surface
    • SPbCTF's Student CTF Quals
      • 31 Line PHP
      • BLT
      • CatStep
    • Asian Cyber Security Challenge (ACSC) 2021
      • Cowsay As A Service
      • Favorite Emojis
      • Baby Developer
      • API
      • RSA Stream
      • Filtered
      • NYONG Coin
    • CSAW CTF Qualification Round 2021
      • Save the Tristate
      • securinotes
      • no pass needed
      • Gatekeeping
      • Ninja
    • YauzaCTF 2021
      • Yauzacraft Pt. 2
      • Yauzabomber
      • RISC 8bit CPU
      • ARC6969 Pt. 1
      • ARC6969 Pt. 2
      • Back in 1986 - User
      • Lorem-Ipsum
    • InCTF 2021
      • Notepad 1 - Snakehole's Secret
      • RaaS
      • MD Notes
      • Shell Boi
      • Listen
      • Ermittlung
      • Alpha Pie
    • UIUCTF 2021
      • pwnies_please
      • yana
      • ponydb
      • SUPER
      • Q-Rious Transmissions
      • capture the :flag:
      • back_to_basics
      • buy_buy_buy
    • Google CTF 2021
      • CPP
      • Filestore
    • TyphoonCon CTF 2021
      • Clubmouse
      • Impasse
    • DSTA BrainHack CDDC21
      • File It Away (Pwn)
      • Linux Rules the World! (Linux)
      • Going Active (Reconnaissance)
      • Behind the Mask (Windows)
      • Web Takedown Episode 2 (Web)
      • Break it Down (Crypto)
    • BCACTF 2.0
      • L10N Poll
      • Challenge Checker
      • Discrete Mathematics
      • Advanced Math Analysis
      • Math Analysis
      • American Literature
      • More Than Meets the Eye
      • τƒ—τŒ²”τ‡ΊŸτŠΈ‰τ«žτ„Ί·τ„§»τƒ„τŠΈ‰
    • Zh3ro CTF V2
      • Chaos
      • Twist and Shout
      • 1n_jection
      • alice_bob_dave
      • Baby SSRF
      • bxxs
      • Sparta
    • Pwn2Win CTF 2021
      • C'mon See My Vulns
      • Illusion
    • NorzhCTF 2021
      • Leet Computer
      • Secure Auth v0
      • Triskel 3: Dead End
      • Triskel 2: Going In
      • Triskel 1: First Contact
      • Discovery
    • DawgCTF 2021
      • Bofit
      • Jellyspotters
      • No Step On Snek
      • Back to the Lab 2
      • MDL Considered Harmful
      • Really Secure Algorithm
      • The Obligatory RSA Challenge
      • Trash Chain
      • What the Flip?!
      • Back to the Lab 1
      • Back to the Lab 3
      • Dr. Hrabowski's Great Adventure
      • Just a Comment
      • Baby's First Modulation
      • Two Truths and a Fib
    • UMDCTF 2021
      • Advantageous Adventures
      • Roy's Randomness
      • Whose Base Is It Anyway
      • Cards Galore
      • Pretty Dumb File
      • Minetest
      • Donnie Docker
      • Subway
      • Jump Not Easy
      • To Be XOR Not To Be
      • Office Secrets
      • L33t M4th
      • Bomb 2 - Mix Up
      • Jay
    • Midnight Sun CTF 2021
      • Corporate MFA
      • Gurkburk
      • Backups
    • picoCTF 2021
      • It Is My Birthday (100)
      • Super Serial (130)
      • Most Cookies (150)
      • Startup Company (180)
      • X marks the spot (250)
      • Web Gauntlet (170 + 300)
      • Easy Peasy (40)
      • Mini RSA (70)
      • Dachshund Attacks (80)
      • No Padding, No Problem (90)
      • Trivial Flag Transfer Protocol (90)
      • Wireshark twoo twooo two twoo... (100)
      • Disk, Disk, Sleuth! (110 + 130)
      • Stonks (20)
    • DSO-NUS CTF 2021
      • Insecure (100)
      • Easy SQL (200)
Powered by GitBook
On this page
  • Challenge
  • Solution
  • What is the name of the chat application program?
  • When did the user last used this chat application?
  • How many unread messages are there in the chat application that the user is using?
  • What is the current version of the chat application that’s being used?
  • Final Flag

Was this helpful?

  1. 2021
  2. InCTF 2021

Ermittlung

Basic memory forensics

Challenge

Description

Our Incident Response team started their investigation on a device found when pinning down a terrorist. They got some doubts while analyzing the device, So they framed these questions can you help them in answering these questions? Our Intelligence report states that the terrorist used a legit chat application for communication among themselves.

Questions:

  • What is the name of the chat application program?

    • Ex: Mozilla_Firefox (Use Name of the program, Not the name of the binary. If there is a space replace it with _. )

  • When did the user last used this chat application?

    • Answer in DD-MM-YYYY_HH:MM:SS. Timestamp in UTC

  • How many unread messages are there in the chat application that the user is using?

    • Answer should be an integer n.

  • What is the current version of the chat application that's being used?

    • Answer in X.X.XXXX.XXXX

Note:

  • Wrap the answers around inctf{}.

  • Sample flag: inctf{Mozilla_Firefox_31-07-2020_19:00:00_10_1.2.2345.5678}

  • Flag is Case Sensitive

MD5 Hash: ermittlung.raw 110305F3CF71432B4DFAFD1538CDF850

Solution

First of all, let's determine the profile.

$ vol.py -f ermittlung.raw imageinfo
Volatility Foundation Volatility Framework 2.6.1
INFO    : volatility.debug    : Determining profile based on KDBG search...
          Suggested Profile(s) : WinXPSP2x86, WinXPSP3x86 (Instantiated with WinXPSP2x86)
                     AS Layer1 : IA32PagedMemory (Kernel AS)
                     AS Layer2 : FileAddressSpace (/Users/zhangzeyu/OneDrive/Documents/CTF/inCTF/ermittlung.raw)
                      PAE type : No PAE
                           DTB : 0x39000L
                          KDBG : 0x8054cf60L
          Number of Processors : 1
     Image Type (Service Pack) : 3
                KPCR for CPU 0 : 0xffdff000L
             KUSER_SHARED_DATA : 0xffdf0000L
           Image date and time : 2020-07-27 12:27:08 UTC+0000
     Image local date and time : 2020-07-27 17:57:08 +0530

Great! We will use the WinXPSP2x86 profile from now on.

What is the name of the chat application program?

If we look at the process tree, the only relevant process with "chat" functionality is msimn.exe, which is Outlook Express.

$ vol.py --profile=WinXPSP2x86 pstree -f ermittlung.raw
Volatility Foundation Volatility Framework 2.6.1
Name                                                  Pid   PPid   Thds   Hnds Time
-------------------------------------------------- ------ ------ ------ ------ ----
 0x867c6830:System                                      4      0     54    274 1970-01-01 00:00:00 UTC+0000
. 0x8646e020:smss.exe                                 364      4      3     19 2020-07-27 12:25:41 UTC+0000
.. 0x86476458:csrss.exe                               588    364     10    493 2020-07-27 12:25:41 UTC+0000
.. 0x864edda0:winlogon.exe                            612    364     25    543 2020-07-27 12:25:42 UTC+0000
... 0x866a04b8:lsass.exe                              668    612     28    389 2020-07-27 12:25:42 UTC+0000
... 0x8660d280:services.exe                           656    612     16    272 2020-07-27 12:25:42 UTC+0000
.... 0x86281020:svchost.exe                          1292    656     12    180 2020-07-27 12:25:43 UTC+0000
.... 0x86497868:svchost.exe                          1056    656     82   1450 2020-07-27 12:25:42 UTC+0000
..... 0x86213700:wuauclt.exe                         3088   1056      5    109 2020-07-27 12:26:55 UTC+0000
..... 0x865b73c0:wuauclt.exe                          456   1056      9    136 2020-07-27 12:25:56 UTC+0000
..... 0x864b8b10:wscntfy.exe                         1508   1056      1     37 2020-07-27 12:25:58 UTC+0000
.... 0x862672e8:spoolsv.exe                          1716    656     15    122 2020-07-27 12:25:43 UTC+0000
.... 0x864fb560:VBoxService.exe                       828    656      9    126 2020-07-27 12:25:42 UTC+0000
.... 0x86504230:svchost.exe                           964    656      9    263 2020-07-27 12:25:42 UTC+0000
.... 0x862a47a8:svchost.exe                          1116    656      7     88 2020-07-27 12:25:42 UTC+0000
.... 0x865a6558:alg.exe                              1004    656      7    104 2020-07-27 12:25:57 UTC+0000
.... 0x86512c18:svchost.exe                          1908    656      6    107 2020-07-27 12:25:52 UTC+0000
.... 0x86473458:svchost.exe                           888    656     21    220 2020-07-27 12:25:42 UTC+0000
..... 0x86540340:wmiprvse.exe                         448    888      8    191 2020-07-27 12:26:09 UTC+0000
 0x8647dda0:explorer.exe                             1584   1560     20    599 2020-07-27 12:25:43 UTC+0000
. 0x8657ada0:firefox.exe                              144   1584     53    624 2020-07-27 12:26:07 UTC+0000
. 0x8663a788:DumpIt.exe                              3224   1584      1     25 2020-07-27 12:27:05 UTC+0000
. 0x86569790:ctfmon.exe                              1176   1584      1     86 2020-07-27 12:25:57 UTC+0000
. 0x865a27f8:VBoxTray.exe                            1156   1584     13    115 2020-07-27 12:25:57 UTC+0000
. 0x861aec90:msimn.exe                               2132   1584     14    454 2020-07-27 12:26:17 UTC+0000

When did the user last used this chat application?

The date and timestamp are provided in the above output (2020-07-27 12:26:17 UTC+0000).

How many unread messages are there in the chat application that the user is using?

A quick Google search on Outlook Express registry keys showed us that the registry keySoftware\Microsoft\Windows\CurrentVersion\UnreadMail contains information about the unread mail. There is a subkey for each email address, and the MessageCount value of those subkeys tell us how many unread messages there are.

$ vol.py --profile=WinXPSP2x86 printkey -K "Software\Microsoft\Windows\CurrentVersion\UnreadMail\danial.banjamin008@gmail.com" -f ermittlung.raw
Volatility Foundation Volatility Framework 2.6.1
Legend: (S) = Stable   (V) = Volatile

----------------------------
Registry: \Device\HarddiskVolume1\Documents and Settings\crimson\NTUSER.DAT
Key name: danial.banjamin008@gmail.com (S)
Last updated: 2020-07-27 12:26:25 UTC+0000

Subkeys:

Values:
REG_DWORD     MessageCount    : (S) 4
REG_BINARY    TimeStamp       : (S)
0x00000000  42 d8 4e 25 11 64 d6 01                           B.N%.d..
REG_SZ        Application     : (S) msimn

There were 4 unread messages.

What is the current version of the chat application that’s being used?

We can use procdump to dump the executable.

vol.py --profile=WinXPSP2x86 procdump -p 2132 -D msimn -f ermittlung.raw

Opening up the file properties in Windows, the answer is staring at us in the face!

The current version is 6.0.2900.5512.

Final Flag

inctf{Outlook_Express_27-07-2020_12:26:17_4_6.0.2900.5512}

PreviousListenNextAlpha Pie

Last updated 3 years ago

Was this helpful?

Challenge Author:

This challenge requires us to do some basic memory forensics using .

g4rud4
Volatility