Jersey CTF — Open Notes (Forensics)
I am Ayush Shah. I played this ctf with my team Bits & Pieces.
https://ctftime.org/team/178228
Challenge Description:
A workstatiobn we are examining had some open files at the time of the memory capture. Examine the memory image at open-notes.vmem to find the flag.
Developed by NJCCIC
We are given an .vmem, let’s analyse it using volatility3 https://github.com/volatilityfoundation/volatility3 and from the hint we can make it easy by focusing on any output related to notepad, so let’s first list all the processes.
python3 vol.py -f open-notes.vmem windows.pslist
Let’s take the process id of notepad.exe which is 6168 and dump details.
python3 vol.py -f open-notes.vmem -o /tmp/dump windows.memmap.Memmap --pid 6168 --dumpAfter few seconds, we can see the dump in /tmp/dump.
Run strings -e l /tmp/dump/pid.6168.dmp | grep ctf
Thank you so much for reading.
If you are interested to join our team for Web exploitation, Binary Exploitation, Reverse Engineering, please kindly DM ckc9759 on discord.
Happy Hacking!
