Read Askew Manuscripts - 1
We are tasked with finding the XRAY Key that is in registry in this memory dump. One of the best tools for doing memory forensics is a tool called Volatility. There are 2 different versions, I used the earlier version, 2.*.* as its the one Ive used the most in the past.
Using this command we dump the "imageinfo" of the memory dump. This information can help us build a profile of the machine and help with further analysis.
python2 vol.py -f /home/.../.../ICS_CISA_24/virbank/read_askew_manuscripts/memdump.raw imageinfoWith the imageinfo we add the --profile to our command. Then we run the command "hivelist", Because we are tasked with finding something in the registry hivelist dumps all the registry types that we can dig through. (The hex address are what we use "exa. 0xe1035b60"
python2 vol.py -f /home/kali/ctf/ICS_CISA_24/virbank/read_askew_manuscripts/memdump.raw --profile=WinXPSP2x86 hivelist (Be sure to add your profile)Now that we have a list of different registries we can look through we begin digging to find one that contains the "SOFTWARE\ACME_Xray" in it.
python2 vol.py -f /home/kali/ctf/ICS_CISA_24/virbank/read_askew_manuscripts/memdump.raw --profile=WinXPSP2x86 hivedump -o 0xe1035b60 | grep ACME
Using grep we find it in the registry location "0xe1035b60". Now that we know the offset address of where the key is located we simply dump the key.
python2 vol.py -f /home/kali/ctf/ICS_CISA_24/virbank/read_askew_manuscripts/memdump.raw --profile=WinXPSP3x86 printkey -o 0xe1936b60 -K "Software\ACME_XRay"
The base64 encoded string is our flag.
Last updated
Was this helpful?