A rookie in a world of pwns

SECCON 2016 Online CTF Writeup: Memory Analysis

100 points

Find the website that the fake svchost is accessing.

You can get the flag if you access the website!!


The challenge files are huge, please download it first.

Hint1: http://www.volatilityfoundation.org/

Hint2: Check the hosts file

password: fjliejflsjiejlsiejee33cnc

The hints reveal a lot of what should be done for this challenge. The attached file is a Windows memory dump that we open in HxD.

Windows hosts file (C:\Windows\System32\drivers\etc\hosts) usually contains a header (# This is a sample HOSTS file) so let’s search for it.

Bingo! We find it and the contents indicate that they set up a host entry for a specific IP address:

1    crattack.tistory.com

However opening this IP in the browser shows what seems like an unconfigured web server:


Let’s search the memory dump again for the URLs that point to that IP or to crattack.tistory.com to see if we get lucky. A bunch of them are found, and we try them one by one, replacing the site name with the IP address.

Lo and behold, we find the flag in