Secret 2 - HackMD

# Secret 2 ### Challenge Author [v1Ru5](https://twitter.com/SrideviKrishn16) **Challenge points (Nationals)**: 469 **No. of solves**: 28 **Challenge points (Professionals)**: 484 **No. of solves**: 5 ## Challenge Description ![](https://i.imgur.com/FXbYGXd.png) You can download the challenge from [**Mega**](https://mega.nz/file/gjIlQAzQ#Od9vio3ZZbbLNpYneW0tGvXaPmjtVYt48n93s0FB9QA) ## Writeup We already know that **Win7SP1x64** is the profile. Now, let's start step-by-step. ``` $ volatility -f memory.raw --profile=Win7SP1x64 pslist ``` ![](https://i.imgur.com/VXQPab3.png) After using **pslist** plugin we find that there is nothing suspicious other than cmd.exe. So, let's see the command history using the **cmdscan** plugin. ``` $ volatility -f memory.raw --profile=Win7SP1x64 cmdscan ``` ![](https://i.imgur.com/mm3fQHe.png) Maybe **j4cK4NdJ1Ll** can be useful somewhere? Now, let's have a look at the files present in Documents. We have the **filescan** plugin to help us. ``` $ volatility -f memory.raw --profile=Win7SP1x64 filescan |grep "Documents" ``` ![](https://i.imgur.com/xOM7HE3.png) Okay, so we have **information.txt** here, which on extraction gives us a mega link. ``` $ volatility -f memory.raw --profile=Win7SP1x64 dumpfiles -Q 0x000000011fa43c10 -D . ``` ![](https://i.imgur.com/cZNHeBB.png) The link leads us to **secret.zip** where the bytes are reversed. Write a script to reverse the bytes and use **j4cK4NdJ1Ll** (which we got earlier) as the password of the zip file to get the flag. ``` f1 = open("new.zip", "w") with open("secret.zip", "r") as myfile: data = myfile.read() data_1 = data[::-1] f1.write(data_1) f1.close() ``` ## Flag **inctf{W3Ll_y0U_g0T_wH4T_yOu_N33d3D}**