Memedump

memory dump dump dump! Forensics!

Additional Information: We did not manage to solve this challenge during the CTF, but we tried it after the event was over, and we managed to solve the challenge!

I too would like to be a professional meme maker. Sadly, I lack the skill or talent to make such amazing memes. BUT... and hear me out, I got hold of someone's laptop full of dank memes. Well not the laptop, just the memory of the laptop. With this, I should be able to copy all his memes right????

We were given a huge .raw file (1 GB) in size (What is a RAW file). From the title of the challenge, we suspected that it is probably a memory dump file.

As always, we ran the file command to check what type of file is it.

data 👍

Results tells us that it is a data file, not so helpful eh? 😢

Next, we ran the binwalk to give us more information! The results given was astonishingly large!!

binwalk 1st half
binwalk 2nd half

There were various description given from the results, and we noticed Microsoft executable, portable (PE), therefore, confirms our suspicion that this is a memory dump! 👏

We immediately fired up our trusty Volatility, a memory forensic tool!

First things first, we have to find out the profile of the memory dump (memdump) via imageinfo plugin.

This helps us find out what type of Operating System (OS) that was used.

vol.py -f memedump.raw imageinfo
memdump

From the results, under Suggested Profile(s), tells us that the OS used is Windows! The profile is thus Win7SP0x86

Using the profile, we can check for the list of processes that were running at the time of acquisition.

vol.py -f memedump.raw pslist --profile=Win7SP0x86
pslist

From the process list results, we noticed mspaint.exe and after Googling around, we found an interesting write-up regarding about Volatility and mspaint! 🤯 We used that as a guide to solve this challenge.

Take note of the PID of mspaint.exe which is 1464 as we will get back to it later.

Before further investigating mspaint.exe, we looked for other possibilities that could be a flag. We checked the list of files under Users.

vol.py -f memedump.raw --profile=Win7SP0x86 filescan | grep '.*Users.*'
list of files under Users folder

We noticed a few images named "flag" and when we extracted all of them out, it was just a bunch of memes. So, we moved our focus back to mspaint.exe

We extracted mspaint.exe memory using its PID.

vol.py memedump.raw --profile=Win7SP0x86 memdump -p 1464 --dump-dir=.

After doing so, we renamed our exported 1464.dmp file to 1464.data so that it can be recognized by Gimp, and then opened it in Gimp.

With some trial and error, the correct offset, width and height can be found.

flag!!!

Et voila! We managed to get the flag!! 🎉🎉

Offset: 192318395

Height: 1198

Width: 953

Flag: STANDCON22{meme_mem_dump}

Challenge Files

The challenge file was too big to upload here :(

File size: 1 GB

PreviousAsmuth SharesNextWarmup Forensics

Last updated