forensicsmedium

Legendary OS

hackerlab

Task: find a hidden flag inside a 1GB VMware memory dump (dump.vmem) of Windows 7 SP1. Solution: standard ASCII strings search fails because the flag is stored in UTF-16LE encoding (Windows internal format); search for the UTF-16LE byte pattern of the flag prefix to locate it in notepad.exe process memory.

$ ls tags/ techniques/

memory_forensics vmware notepad vmem volatility string_encoding utf16le windows7

memory_dump_analysisutf16le_string_searchvolatility_process_listingmmap_pattern_search

Analysis

Lorem ipsum dolor sit amet, consectetur adipiscing elit. Sed do eiusmod tempor incididunt ut labore et dolore magna aliqua. Ut enim ad minim veniam, quis nostrud exercitation ullamco laboris nisi ut aliquip ex ea commodo consequat.

$ python3 exploit.py --target 192.168.1.1 --port 8080
[*] Connecting to target...
[+] Shell obtained!

Excepteur sint occaecat cupidatat non proident, sunt in culpa qui officia deserunt mollit anim id est laborum.

🔒

Permission denied (requires tier.pro)

Sign in to access full writeups

Create a free account with GitHub to get started.

$ssh [email protected]