[SECCON CTF 2016] FORENSIC 100p MEMORY ANALYSIS

In this challenge, we have a raw file, and hints. So let check it in volatility.

It’s WinXP, and in the description we have to find the webstite in scvhost, let’s try to check it.

I really did’t know what I have to do, until hint 2 have been show. We all know host file is the file in C:\Windows\System32\drivers\etc and I got:

Let extract and see what it have:

So the web we need to find is crattack.tistory.com, but it’s failed, I have to find deeper.

Seriously, I didn’t what to do and luckyly I remember the strings command line:

 

I attend to the website http://crattack.tistory.com/entry/Data-Science-import-pandas-as-pd because it appear too many times and before it have word visited so I’m very sure it’s the website we need to find. It’s have a IP: 175.126.170.110, remember file host? Let’s change a little bit.

FLAG is: SECCON{_h3110_w3_h4ve_fun_w4rg4m3_}

[SECCON CONTEST 2016] FORENSIC 100p VoIP

In this challenge, we have a pcap file. And the challenge name is VoIP so let’s check it in Wireshark.

Go to Telephony > VoIP Calls, you will see a voice conversation chose it then press play streams, you will hear a flag.

FLAG is: SECCON{{9001IVR}