ALLES CTF - HackMD

# ALLES CTF ## Misc ## Forensics ### FlagConverter Part 1 Category: Forensics Difficulty: Easy Author: TheVamp First Blood: Sudovoodoo On the campground of the CCCamp, someone is trying to troll us by encrypting our flags. Sadly, we only got the memory dump of the PC which encrypted our flags. Please provide us with the flag which is not yet encrypted. flagconverter.7z ``` $ wget https://static.allesctf.net/flagconverter-725b6d252230016c8126c5d972760e08b824f8a86071e87aa52e6f069a2e18f3.7z $ 7z e flagconverter-725b6d252230016c8126c5d972760e08b824f8a86071e87aa52e6f069a2e18f3.7z $ file flagconverter.dmp flagconverter.dmp: ELF 64-bit LSB core file x86-64, version 1 (SYSV) $ strings flagconverter.dmp | grep "ALLES{" ALLES{f0r3n51k_15_50m3t1m35_t00_345y} ALLES{f0r3n51k_15_50m3t1m35_t00_345y} ``` Flag: `ALLES{f0r3n51k_15_50m3t1m35_t00_345y}` ### FlagConverter Part 2 Category: Forensics Difficulty: Easy/Medium Author: TheVamp First Blood: cockmasters On the campground of the CCCamp, someone is trying to troll us by encrypting our flags. Sadly, we only got the memory dump of the PC which encrypted our flags. Please decrypt the flag for us which was encrypted a few seconds ago. ``` $ volatility imageinfo -f flagconverter.dmp Volatility Foundation Volatility Framework 2.6 INFO : volatility.debug : Determining profile based on KDBG search... Suggested Profile(s) : Win7SP1x64, Win7SP0x64, Win2008R2SP0x64, Win2008R2SP1x64_23418, Win2008R2SP1x64, Win7SP1x64_23418 AS Layer1 : WindowsAMD64PagedMemory (Kernel AS) AS Layer2 : VirtualBoxCoreDumpElf64 (Unnamed AS) AS Layer3 : FileAddressSpace (/home/oklien/Documents/ctf/cccamp-2019/forensics/flagconverter.dmp) PAE type : No PAE DTB : 0x187000L KDBG : 0xf800027ff120L Number of Processors : 2 Image Type (Service Pack) : 1 KPCR for CPU 0 : 0xfffff80002801000L KPCR for CPU 1 : 0xfffff880009eb000L KUSER_SHARED_DATA : 0xfffff78000000000L Image date and time : 2019-08-21 05:55:09 UTC+0000 Image local date and time : 2019-08-21 07:55:09 +0200 $ volatility -f flagconverter.dmp kdbgscan Volatility Foundation Volatility Framework 2.6 ************************************************** Instantiating KDBG using: Unnamed AS WinXPSP2x86 (5.1.0 32bit) Offset (P) : 0x27ff120 KDBG owner tag check : True Profile suggestion (KDBGHeader): Win7SP1x64 PsActiveProcessHead : 0x2838940 PsLoadedModuleList : 0x2856c90 KernelBase : 0xfffff8000261d000 ************************************************** Instantiating KDBG using: Unnamed AS WinXPSP2x86 (5.1.0 32bit) Offset (P) : 0x27ff120 KDBG owner tag check : True Profile suggestion (KDBGHeader): Win2008R2SP1x64 PsActiveProcessHead : 0x2838940 PsLoadedModuleList : 0x2856c90 KernelBase : 0xfffff8000261d000 ************************************************** Instantiating KDBG using: Unnamed AS WinXPSP2x86 (5.1.0 32bit) Offset (P) : 0x27ff120 KDBG owner tag check : True Profile suggestion (KDBGHeader): Win7SP1x64_23418 PsActiveProcessHead : 0x2838940 PsLoadedModuleList : 0x2856c90 KernelBase : 0xfffff8000261d000 ************************************************** Instantiating KDBG using: Unnamed AS WinXPSP2x86 (5.1.0 32bit) Offset (P) : 0x27ff120 KDBG owner tag check : True Profile suggestion (KDBGHeader): Win2008R2SP0x64 PsActiveProcessHead : 0x2838940 PsLoadedModuleList : 0x2856c90 KernelBase : 0xfffff8000261d000 ************************************************** Instantiating KDBG using: Unnamed AS WinXPSP2x86 (5.1.0 32bit) Offset (P) : 0x27ff120 KDBG owner tag check : True Profile suggestion (KDBGHeader): Win2008R2SP1x64_23418 PsActiveProcessHead : 0x2838940 PsLoadedModuleList : 0x2856c90 KernelBase : 0xfffff8000261d000 ************************************************** Instantiating KDBG using: Unnamed AS WinXPSP2x86 (5.1.0 32bit) Offset (P) : 0x27ff120 KDBG owner tag check : True Profile suggestion (KDBGHeader): Win7SP0x64 PsActiveProcessHead : 0x2838940 PsLoadedModuleList : 0x2856c90 KernelBase : 0xfffff8000261d000 $ volatility -f flagconverter.dmp –profile Win7SP1x64 pslist Volatility Foundation Volatility Framework 2.6 No suitable address space mapping found ``` Prøver heller nyeste versjon: ``` git clone https://github.com/volatilityfoundation/volatility.git ``` ### Sanity Check Category: Misc Difficulty: Sanity Check Author: CherryWorm First Blood: DDot Pay our IRC channel a visit :^) Flag: `ALLES{WIRKLICH_ALLES?JA,WIRKLICH_ALLES!}`