foren-weekend-crash (CSAW-CTF-2021) writeup

writeup for weekend-crash challange in CSAW CTF 2021 finals

Posted by 0xMohammed on November 15, 2021 · 3 mins read

Description

It’s Friday evening and you have been working nonstop for the past few days on your assignment due at midnight. Alas, fate is not on your side as your computer crashed! Luckily, with your forensics knowledge, you were able to take a snapshot of your memory. But now, your frazzled brain can’t remember what the state of your assignment was. Can you recover the information you need?

Challenge Files: https://drive.google.com/file/d/1Xyy__6d_bV3E5mRvF719i2nHJ0PHh7RZ/view?usp=sharing

Password: cs4w_2021_f1n4lz

Tools

  1. Rstudio
  2. Volatility3
  3. DB browser for SQLite
  4. CyberChef

Walkthrough

We were given a 2GB windows 10 memory dump. I usually start my analysis by loading the dump in Rstudio, which scans the file for partitions signature and rebuilds the directory structure based on this structure.
Starting Rstudio, add the image and scan for partitions. (For NTFS partitions, Rstudio search for $MFT and rebuild the directory structure based on the $MFT file.)
After Rstudio finishes the scans, Righ-Click on the found partition and choose show files.
sourcecode The download folders show that the user downloaded a firefox installer. Checking the program files, we found that only firefox is the installed program, so that is our target.
sourcecode Now let’s move our analysis to Volatility3. Based on the information we were able to extract, we need to dump firefox profiles.
First, we need to list the files present in the memory dump using the following command vol3 -f weekend_crash.bin windows.filescan > output.txt. Looking for firefox files, we found many files.
sourcecode Let’s check firefox history first, which is stored in places.sqlite. Use vol3 -f weekend_crash.bin windows.dumpfiles --virtaddr 0x940cdc0252d0 command to dump the places.sqlite file and use DB Browser for SQLite to analyze the content of places.sqlite.
sourcecode Examining the history, we found the http://congon4tor.com:7777/ website, which returns No flag sorry.
sourcecode Maybe there is a cookie we need to inject, so let’s dump cookies.sqlite and examine it with DB Browser for SQLite.
sourcecode As we thought, we found a cookie with the name magic and value `6670ee0a08c2818f76256954c72ad077. Injecting cookies to the website, we got the flag, but it is encoded with rot13.
sourcecode Using cyberchef, we were able to decode it.
sourcecode