Mem

spbctf

Linux memory dump forensics. Attacker obfuscated THEFLAG.txt through 5-step encoding chain (od -t x4, base64, xxd -E -b, tr, GPG), then shredded originals. Solution: extract bash history from RAM to reveal commands and GPG passphrase, reverse each transformation step, handle little-endian byte order from od -t x4.

linux base64 little_endian bash_history memory_forensics xxd gpg od tr tsort

string_extractionmemory_dump_analysisbash_history_recoverygpg_symmetric_decryptionmulti_step_encoding_reversallittle_endian_byte_reversalcommand_line_forensics

$ ls tags/ techniques/

linux base64 little_endian bash_history memory_forensics xxd gpg od tr tsort

string_extractionmemory_dump_analysisbash_history_recoverygpg_symmetric_decryptionmulti_step_encoding_reversallittle_endian_byte_reversalcommand_line_forensics

Analysis

Lorem ipsum dolor sit amet, consectetur adipiscing elit. Sed do eiusmod tempor incididunt ut labore et dolore magna aliqua. Ut enim ad minim veniam, quis nostrud exercitation ullamco laboris nisi ut aliquip ex ea commodo consequat.

$ python3 exploit.py --target 192.168.1.1 --port 8080
[*] Connecting to target...
[+] Shell obtained!

Excepteur sint occaecat cupidatat non proident, sunt in culpa qui officia deserunt mollit anim id est laborum.

Permission denied (requires tier.pro)

Sign in to access full writeups

$sign in

$ grep --similar

Similar writeups

[stego][Pro]Just a Text— spbctf
[forensics][Pro]Чувак, где мой флаг? (Dude, Where's My Flag?)— hackerlab
[forensics][Pro]Reincarnation— duckerz
[reverse][Pro]Весёлый EXE (Funny EXE)— hackerlab
[forensics][Pro]Украденный флаг (Stolen flag)— bug-makers