Challenge created by sh1v
First of thanks to Jim Shaver as the challenge was inspired from this blog. Initially we have a memory dump. On analysing it in volatility using imageinfo plugin we get to know that the memory dump is of Windows 7.
Then on further analysis of the processes listed using the pslist plugin we get to know that Wireshark.exe and notepad.exe is being run.
The next task is to find the the pcap file and extract it. On further analysis using the filescan plugin and then using grep to find pcap we get a flag.pcapng file.
The we dump the file using dumpfiles plugin and then rename it to flag.pcapng
On opening the pcap we can understand that the traffic is encrypted. To decrypt the ssl traffic we need the Master-Secret log file or the RSA keys. So we need to again search for the log file or RSA keys. We will first search for a .pem file which is the RSA key. The search gave a negative result so the next thing we do is search for .log file and we found sslkeylog.log
Using dumpfiles plugin we again dump the log file to be given. Then by the above mentioned method from the blog we can decrypt the traffic and get the flag which is :
InCTF{tl5_4nd_m3m0ry_1s_n0t_v3ry_t0u6h_t0_cr4ck}
Also there was an unintended solution for this due to which we had to reduce the points. The method for that was the flag was encoded in base64 in the clipboard of the memory which can be easy retrieved using clipboard plugin.
bi0s 
Leave a Reply