InCTF 2017 : Browse? Writeup

Challenge created by sh1v

First of thanks to Jim Shaver as the challenge was inspired from this blog. Initially we have a memory dump. On analysing it in volatility using imageinfo plugin we get to know that the memory dump is of Windows 7.

Screenshot from 2017-12-18 17-51-45

Then on further analysis of the processes listed using the pslist plugin we get to know that Wireshark.exe and notepad.exe is being run.

Screenshot from 2017-12-18 17-55-31

The next task is to find the the pcap file and extract it. On further analysis using the filescan plugin and then using grep to find pcap we get a flag.pcapng file.

Screenshot from 2017-12-18 18-12-49

The we dump the file using dumpfiles plugin and then rename it to flag.pcapng

Screenshot from 2017-12-18 18-17-09

On opening the pcap we can understand that the traffic is encrypted. To decrypt the ssl  traffic we need the Master-Secret log file or the RSA keys. So we need to again search for the log file or RSA keys. We will first search for a .pem file which is the RSA key. The search gave a negative result so the next thing we do is search for .log file and we found sslkeylog.log

Screenshot from 2017-12-18 18-31-35

Using dumpfiles plugin we again dump the log file to be given. Then by the above mentioned method from the blog we can decrypt the traffic and get the flag which is :


Also there was an unintended solution for this due to which we had to reduce the points. The method for that was the flag was encoded in base64 in the clipboard of the memory which can be easy retrieved using clipboard plugin.



Leave a Reply

Fill in your details below or click an icon to log in: Logo

You are commenting using your account. Log Out /  Change )

Google+ photo

You are commenting using your Google+ account. Log Out /  Change )

Twitter picture

You are commenting using your Twitter account. Log Out /  Change )

Facebook photo

You are commenting using your Facebook account. Log Out /  Change )


Connecting to %s

Blog at

Up ↑

%d bloggers like this: