# Memory Forensics
## Phishy Email
```
strings dump.raw | grep vulncon
{"__cls":"Thread","aid":"f8180b9a","attachmentCount":0,"fmt":1607760048,"folders":[{"__cls":"Folder","_refs":1,"_u":1,"aid":"f8180b9a","id":"G1gURdGiFVKCejhxxzp8JNAhkWPTTZXf2yHERiE1t","path":"[Gmail]/All Mail","role":"all","v":20}],"gThrId":"1685858601247184387","id":"t:Dxv4bXV6WkgU1NYNa5MqfYi6P7s6rhatP6bq5jcr3","inAllMail":true,"labels":[{"__cls":"Label","_refs":1,"_u":1,"aid":"f8180b9a","id":"jsm3Xms2dSMDn9RFDivqfVjxizx8zcCVCVvDurwSV","path":"INBOX","role":"inbox","v":2}],"lmrt":1607760048,"lmst":0,"lmt":1607760048,"participants":[{"email":"sarojchaudhary581@gmail.com","name":"vulncon vulncon"},{"email":"hello@getmailspring.com","name":"Mailspring Team"}],"searchRowId":9322,"starred":0,"subject":"Explore Mailspring - Read Receipts & Link Tracking","unread":1,"v":3}1685858601247184387Explore Mailspring - Read Receipts & Link Tracking_
```
```
vulncon{sarojchaudhary581@gmail.com}
```
## Attack
```
credentials : user:root, pass:i\/WH"VJvY5_M55qfe9<
vulncon{192.168.30.1_bruteforce}
```
## Compromise
```
vulncon{karma_godisgood}
```
## Suspicious
```
vulncon{https://github.com/carlospolop/privilege-escalation-awesome-scripts-suite}
```
## Secret
```
vulncon{/etc/.secret/file/is/here/thisissupersecretfile}
```
## Vulcoins
```
```
## USB Device (Shuvsec)
```
./volatility_2.6_lin64_standalone --plugins=volatility-plugins -f ~/VulnconCTF/Memory\ Forensics/dump.raw --profile=Win7SP1x64 usbstor
Volatility Foundation Volatility Framework 2.6
*** Failed to import volatility.plugins.chromehistory (ImportError: No module named csv)
*** Failed to import volatility.plugins.firefoxhistory (ImportError: No module named csv)
Reading the USBSTOR Please Wait
Found USB Drive: CCYYMMDDHHmmSSX1TIOR&0
Serial Number: CCYYMMDDHHmmSSX1TIOR&0
Vendor: SMI
Product: USB_DISK
Revision: 1100
ClassGUID: USB_DISK
ContainerID: {68b70eb8-f3fd-5099-907d-4e542601b2c7}
Mounted Volume: \??\Volume{f7d58027-3b76-11eb-a2d8-d0abd5a4ad75}
Drive Letter: \DosDevices\E:
Friendly Name: SMI USB DISK USB Device
USB Name: Unknown
Device Last Connected: 2020-12-11 06:19:46 UTC+0000
Class: DiskDrive
Service: disk
DeviceDesc: @disk.inf,%disk_devdesc%;Disk drive
Capabilities: 16
Mfg: @disk.inf,%genmanufacturer%;(Standard disk drives)
ConfigFlags: 0
Driver: {4d36e967-e325-11ce-bfc1-08002be10318}\0001
Compatible IDs:
USBSTOR\Disk
USBSTOR\RAW
HardwareID:
USBSTOR\DiskSMI_____USB_DISK________1100
USBSTOR\DiskSMI_____USB_DISK________
USBSTOR\DiskSMI_____
USBSTOR\SMI_____USB_DISK________1
SMI_____USB_DISK________1
USBSTOR\GenDisk
GenDisk
Windows Portable Devices
--
FriendlyName: E:\
Serial Number: CCYYMMDDHHMMSSX1TIOR&0
Last Write Time: 2020-12-11 06:19:59 UTC+0000
```
## Game Over (CuBocan)
```
vol3 -f dump.raw windows.info
Volatility 3 Framework 2.0.0-beta.1
Progress: 100.00 PDB scanning finished
Variable Value
Kernel Base 0xf80002a01000
DTB 0x187000
Symbols file:///usr/local/lib/python3.6/dist-packages/volatility/symbols/windows/ntkrnlmp.pdb/3844DBB920174967BE7AA4A2C20430FA-2.json.xz
primary 0 WindowsIntel32e
memory_layer 1 FileLayer
KdDebuggerDataBlock 0xf80002bf20a0
NTBuildLab 7601.17514.amd64fre.win7sp1_rtm.
CSDVersion 1
KdVersionBlock 0xf80002bf2068
Major/Minor 15.7601
MachineType 34404
KeNumberProcessors 1
SystemTime 2020-12-12 14:05:05
NtSystemRoot C:\Windows
NtProductType NtProductWinNt
NtMajorVersion 6
NtMinorVersion 1
PE MajorOperatingSystemVersion 6
PE MinorOperatingSystemVersion 1
PE Machine 34404
PE TimeDateStamp Sat Nov 20 09:30:02 2010
```
vol3 -f dump.raw windows.filescan | grep -i chrome | grep -i history
```
0x4ca3bc80 100.0\Users\Devil\AppData\Local\Google\Chrome\User Data\Default\History 216
0x4ca3ef20 \Users\Devil\AppData\Local\Google\Chrome\User Data\Default\Media History 216
0x4e897650 \Users\Devil\AppData\Local\Google\Chrome\User Data\Default\History-journal 216
```
Couldn't find the vol3 dumpfile so use vol2:
vol.py -f dump.raw --profile Win7SP1x64 dumpfiles -Q 0x000000004ca3bc80 --name chrome_hist --dump-dir .
We have two files, but the only one has something, actually its sqlite db:
```
file file.None.0xfffffa801183b910.History.dat
```
so ->
1. sqlite> attach "file.None.0xfffffa801183b910.History.dat" as db1;
2. sqlite> .tables
```
db1.downloads db1.segments
db1.downloads_slices db1.typed_url_sync_metadata
db1.downloads_url_chains db1.urls
db1.keyword_search_terms db1.visit_source
db1.meta db1.visits
db1.segment_usage
```
3. sqlite> SELECT * FROM db1.urls;
```
1|http://google.com/|Google|2|2|13252254366035590|0
2|http://www.google.com/|Google|2|0|13252254366035590|0
3|https://www.google.com/|Google|2|0|13252254366035590|0
4|https://www.google.com/search?source=hp&ei=lMjUX9SCHLef4-EPwJO1kAc&q=online+betting+game&oq=online+betting+game&gs_lcp=CgZwc3ktYWIQAzIECAAQEzIECAAQEzIECAAQEzIECAAQEzIECAAQEzIECAAQEzIECAAQEzIECAAQEzIECAAQEzIECAAQEzoGCAAQChATUKw7WONhYNhoaABwAHgAgAGNAogBuxySAQYwLjE0LjWYAQCgAQGqAQdnd3Mtd2l6&sclient=psy-ab&ved=0ahUKEwjUnO2MycjtAhW3zzgGHcBJDXIQ4dUDCAc&uact=5|online betting game - Google खोजी|3|0|13252254135187823|0
6|https://www.gamblingsites.org/|Online Gambling Sites - Best Real Money Gambling Sites 2020|1|0|13252254187638967|0
7|https://www.google.com/search?source=hp&ei=nsnUX9H_AZCY4-EPudGA4Aw&q=facebook&oq=faceb&gs_lcp=CgZwc3ktYWIQARgAMgQIABATMgQIABATMgQIABATMgQIABATMgQIABATMgQIABATMgQIABATMgQIABATMgQIABATMgQIABATOgUIABDEAjoFCAAQsQM6CAgAELEDEIMBOgIIAFC8DljyGGCzJ2gBcAB4AIAB6gGIAYAHkgEFMC40LjGYAQCgAQGqAQdnd3Mtd2l6sAEA&sclient=psy-ab|facebook - Google खोजी|2|0|13252254373497778|0
8|https://www.facebook.com/|Facebook - Log In or Sign Up|2|0|13252254376862696|0
```
our line of interest:
` 6|https://www.gamblingsites.org/|Online Gambling Sites - Best Real Money Gambling Sites 2020|1|0|13252254187638967|0`
**Flag: vulncon{gamblingsites.org-12-12-2020}**
Sign in with Wallet
Connect another wallet