CTF WriteUps
crash
Description:
I didn’t save my work…
- Category: forensic
- Challenge file: dump.vmem
Solutions:
-
windows.pslist | grep notepad -
window.dumpfiles --pid 2216 -
strings pid.2216.dmp | grep flag -> will find flag.txt at C:\\Users\\imaginarypc\\Documents\\flag.txt -
windows.filescan | grep flag.txt -
windows.dumpfiles --virtaddr 0xc60c81c70ce0 -
cat file.0xc60c81c70ce0.0xc60c83b5e650.DataSectionObject.flag.txt.dat| base64 -d
Flag: ictf{aa0eb707a41b2ca6}