lesion.io Blog
  • Roadmap
  • Docs
    • Templates
      • Data Inventory
      • Access Control
      • Cybersecurity Roles & Responsibilities
      • Asset Inventory
      • Acceptable Use Policy
      • Change Management
      • Vendor Risk Assessment Form
      • Password Protection Policy
  • About Us
    • Manifesto
    • Metrics
  • CTF Team
    • CISA ICS CTF 2024
      • Virbank
        • Mission: Inconceivable - 1
        • Mission: Inconceivable - 2
        • Extend Your Stay - 1
        • Extend Your Stay - 2
        • Extend Your Stay - 3
        • Extend Your Stay - 4
        • Follow The Charts - 1
        • Follow The Charts - 2
        • Read Askew Manuscripts - 1
        • Read Askew Manuscripts - 2
        • Read Askew Manuscripts - 3
        • Read Askew Manuscripts - 4
        • Read Askew Manuscripts - 5
      • Anville
        • Genisys of the Problems - 1
        • Genisys of the Problems - 2
        • Genisys of the Problems - 3
        • Modeling Trains - 1
        • Modeling Trains - 2
        • Modeling Trains - 3
      • Castelia
        • Page
      • Driftviel
        • Page 1
Powered by GitBook
On this page

Was this helpful?

  1. CTF Team
  2. CISA ICS CTF 2024
  3. Virbank

Read Askew Manuscripts - 1

PreviousFollow The Charts - 2NextRead Askew Manuscripts - 2

Last updated 7 months ago

Was this helpful?

  1. We are tasked with finding the XRAY Key that is in registry in this memory dump. One of the best tools for doing memory forensics is a tool called . There are 2 different versions, I used the earlier version, 2.*.* as its the one Ive used the most in the past.

  2. Using this command we dump the "imageinfo" of the memory dump. This information can help us build a profile of the machine and help with further analysis.

python2 vol.py -f /home/.../.../ICS_CISA_24/virbank/read_askew_manuscripts/memdump.raw imageinfo

  1. With the imageinfo we add the --profile to our command. Then we run the command "hivelist", Because we are tasked with finding something in the registry hivelist dumps all the registry types that we can dig through. (The hex address are what we use "exa. 0xe1035b60"

python2 vol.py -f /home/kali/ctf/ICS_CISA_24/virbank/read_askew_manuscripts/memdump.raw --profile=WinXPSP2x86 hivelist (Be sure to add your profile)

  1. Now that we have a list of different registries we can look through we begin digging to find one that contains the "SOFTWARE\ACME_Xray" in it.

python2 vol.py -f /home/kali/ctf/ICS_CISA_24/virbank/read_askew_manuscripts/memdump.raw --profile=WinXPSP2x86 hivedump -o 0xe1035b60 | grep ACME

  1. Using grep we find it in the registry location "0xe1035b60". Now that we know the offset address of where the key is located we simply dump the key.

python2 vol.py -f /home/kali/ctf/ICS_CISA_24/virbank/read_askew_manuscripts/memdump.raw --profile=WinXPSP3x86 printkey -o 0xe1936b60 -K "Software\ACME_XRay"

  1. The base64 encoded string is our flag.

Volatility