Category: Misc
Difficulty: Medium
Author: TheVamp
R3m3mb3r th3 g00d 0ld 1337 d4y5, wh3r3 3ncrypt10n t00l5 4r3 u53d, wh1ch 4r3 d34d t0d4y 4nd r3c0mm3nd b1tl0ck3r. H4v3 fun t0 f1nd th15 5m4ll g3m 1n th3 m3m0ry dump.
The author provided a memory dump of a Windows XP machine.
We have to analyze it to get the flag, but this time we need to look deeper.
We can use volatility to get a list of running processes:
Volatility Foundation Volatility Framework 2.6 Offset(V) Name PID PPID Thds Hnds Sess Wow64 Start Exit ---------- -------------------- ------ ------ ------ -------- ------ ------ ------------------------------ ------------------------------ 0x81bcca00 System 4 0 53 262 ------ 0 0x81a04da0 smss.exe 340 4 3 21 ------ 0 2020-03-22 18:27:38 UTC+0000 0x81a46928 csrss.exe 496 340 9 387 0 0 2020-03-22 18:27:39 UTC+0000 0x81a41950 winlogon.exe 524 340 19 428 0 0 2020-03-22 18:27:39 UTC+0000 0x8197eda0 services.exe 632 524 16 262 0 0 2020-03-22 18:27:39 UTC+0000 0x81a2d810 lsass.exe 644 524 23 356 0 0 2020-03-22 18:27:39 UTC+0000 0x81a0cda0 VBoxService.exe 792 632 9 118 0 0 2020-03-22 18:27:39 UTC+0000 0x81a16500 svchost.exe 840 632 20 204 0 0 2020-03-22 18:27:39 UTC+0000 0x81abf9a8 svchost.exe 928 632 9 259 0 0 2020-03-22 18:27:39 UTC+0000 0x81abd0f0 svchost.exe 1024 632 67 1298 0 0 2020-03-22 18:27:39 UTC+0000 0x8194dc70 svchost.exe 1076 632 6 74 0 0 2020-03-22 18:27:39 UTC+0000 0x817da020 svchost.exe 1120 632 18 219 0 0 2020-03-22 18:27:39 UTC+0000 0x817b33c0 explorer.exe 1524 1484 14 353 0 0 2020-03-22 18:27:40 UTC+0000 0x817b2318 spoolsv.exe 1536 632 14 113 0 0 2020-03-22 18:27:40 UTC+0000 0x81794608 VBoxTray.exe 1644 1524 12 122 0 0 2020-03-22 18:27:40 UTC+0000 0x817cd690 ctfmon.exe 1652 1524 1 66 0 0 2020-03-22 18:27:40 UTC+0000 0x81791020 msmsgs.exe 1660 1524 4 169 0 0 2020-03-22 18:27:40 UTC+0000 0x8173ec08 CSCG_Delphi.exe 1920 1524 1 29 0 0 2020-03-22 18:27:45 UTC+0000 0x8176c378 mspaint.exe 264 1524 4 102 0 0 2020-03-22 18:27:48 UTC+0000 0x8172abc0 svchost.exe 548 632 8 129 0 0 2020-03-22 18:27:51 UTC+0000 0x81759820 alg.exe 1176 632 6 100 0 0 2020-03-22 18:27:51 UTC+0000 0x816e41f0 svchost.exe 1688 632 9 93 0 0 2020-03-22 18:28:00 UTC+0000 0x816d8438 TrueCrypt.exe 200 1524 1 44 0 0 2020-03-22 18:28:02 UTC+0000 0x81768310 wuauclt.exe 1300 1024 7 174 0 0 2020-03-22 18:28:35 UTC+0000 0x817a9b28 wscntfy.exe 1776 1024 1 36 0 0 2020-03-22 18:28:51 UTC+0000 0x816d8cd8 wpabaln.exe 988 524 1 66 0 0 2020-03-22 18:29:38 UTC+0000
There are many interesting processes, but for this flag we need to examine CSCG_Delphi.exe. We can extract the executable using vol procdump -p 1920. Immediately Windows-Defender deletes it. We can load the executable into Ghidra to analyze it. As the name implies, the executable is a Delphi executable. There is a project called IDR Github that can extract symbols for us. We can use another tool dhrakeGithub to load them into ida. There is a function that checks if the input is the flag. It checks if the first characters are CSCG{ and if the last character is } after that, it splits the content inside the curly brackets at _ reverses them using AnsiReverseString and calculates the MD5 hash using TIdHash128.HashValue. The hashes are then checked against pre computed hashes, if they match we have the flag. We can throw the hashes into some online crackers.
1efc99b6046a0f2c7e8c7ef9dc416323:dl0
25db3350b38953836c36dfb359db4e27:kc4rc
40a00ca65772d7d102bb03c3a83b1f91:!3m
c129bd7796f23b97df994576448caa23:l00hcs
017efbc5b1d3fb2d4be8a431fa6d6258:1hp13d
And reversed we get the following parts:
0ld
cr4ck
m3!
sch00l
d31ph1
We can now either use the disassembly to get the order or just guess it and join the ordered parts with _ and wrap it with the flag format.
CSCG{0ld_sch00l_d31ph1_cr4ck_m3!}
CSCG{0ld_sch00l_d31ph1_cr4ck_m3!}