Shearwater AusCert 2016 CTF

GAME OF MEMORY (500 pts)

The 1337 and 100 work for the same company, they sit across from each other on the same network. 100 is working on building a challenge for the Shearwater’s AusCert CTF. 1337 wasn’t allowed to be part of the build team. Being spiteful, they decide to sabotage the build team. 100 needs the proof that 1337 sabotaged the team, can you help find the proof?

Question 1: 100 pts

What is the malicious process PID, at what time did the malicious process PID start and what is the parent process PID?

The flag must be submitted in the following format: [pid][time][ppid]

shadow# volatility -f memory_1.dmp --profile=Win7SP1x64 pstree
Volatility Foundation Volatility Framework 2.5
Name                                                  Pid   PPid   Thds   Hnds Time
-------------------------------------------------- ------ ------ ------ ------ ----
 0xfffffa8005817060:wininit.exe                       424    344      3     80 2016-05-11 03:25:16 UTC+0000
. 0xfffffa8005956a90:services.exe                     524    424      8    217 2016-05-11 03:25:18 UTC+0000
.. 0xfffffa8005ed59b0:dllhost.exe                    1920    524     18    213 2016-05-11 03:25:41 UTC+0000
.. 0xfffffa8005bb1b30:spoolsv.exe                    1040    524     14    337 2016-05-11 03:25:32 UTC+0000
.. 0xfffffa8005c82b30:vmtoolsd.exe                   1240    524     11    291 2016-05-11 03:25:34 UTC+0000
... 0xfffffa8003ec1b30:cmd.exe                       3744   1240      0 ------ 2016-05-11 03:29:15 UTC+0000
.... 0xfffffa8004120500:ipconfig.exe                 3764   3744      0 ------ 2016-05-11 03:29:15 UTC+0000
.. 0xfffffa8005f4b200:msdtc.exe                      1164    524     15    154 2016-05-11 03:25:42 UTC+0000
.. 0xfffffa8006968060:SearchIndexer.                 2308    524     14    645 2016-05-11 03:26:57 UTC+0000
... 0xfffffa80063314d0:SearchFilterHo                2536   2308      4     83 2016-05-11 03:26:58 UTC+0000
... 0xfffffa8006855b30:SearchProtocol                2508   2308      7    259 2016-05-11 03:26:58 UTC+0000
.. 0xfffffa8005fd9b30:svchost.exe                    2848    524     10    355 2016-05-11 03:27:00 UTC+0000
.. 0xfffffa8005a9db30:svchost.exe                     816    524     24    561 2016-05-11 03:25:25 UTC+0000
.. 0xfffffa8005070b30:svchost.exe                    2584    524     24    330 2016-05-11 03:26:59 UTC+0000
.. 0xfffffa8005c37630:svchost.exe                    1072    524     21    330 2016-05-11 03:25:32 UTC+0000
.. 0xfffffa800423bb30:TrustedInstall                 3652    524      7    135 2016-05-11 03:28:48 UTC+0000
.. 0xfffffa8005a664a0:svchost.exe                     716    524      8    302 2016-05-11 03:25:25 UTC+0000
.. 0xfffffa8005ac2060:svchost.exe                     848    524     28    539 2016-05-11 03:25:26 UTC+0000
... 0xfffffa80068fb060:dwm.exe                       2032    848      4     71 2016-05-11 03:26:50 UTC+0000
.. 0xfffffa8004059b30:sppsvc.exe                      212    524      6    172 2016-05-11 03:27:40 UTC+0000
.. 0xfffffa8005ba75c0:svchost.exe                     600    524     26    585 2016-05-11 03:25:31 UTC+0000
.. 0xfffffa8005d855a0:TPAutoConnSvc.                 1632    524     11    145 2016-05-11 03:25:39 UTC+0000
... 0xfffffa8006848060:TPAutoConnect.                2200   1632      6    127 2016-05-11 03:26:51 UTC+0000
.. 0xfffffa800686a060:taskhost.exe                   1936    524      9    154 2016-05-11 03:26:50 UTC+0000
.. 0xfffffa8004008060:svchost.exe                     928    524     18    379 2016-05-11 03:27:40 UTC+0000
.. 0xfffffa80067f4060:wmpnetwk.exe                   2404    524     16    417 2016-05-11 03:26:57 UTC+0000
.. 0xfffffa8005ad26c0:svchost.exe                     872    524     39   1807 2016-05-11 03:25:26 UTC+0000
.. 0xfffffa8005b6da30:svchost.exe                    1016    524     22    764 2016-05-11 03:25:30 UTC+0000
.. 0xfffffa8005a3e630:svchost.exe                     636    524     12    371 2016-05-11 03:25:25 UTC+0000
... 0xfffffa8005e97630:WmiPrvSE.exe                  1792    636      7    188 2016-05-11 03:25:41 UTC+0000
... 0xfffffa8003f26b30:WmiPrvSE.exe                  3064    636      8    125 2016-05-11 03:27:01 UTC+0000
. 0xfffffa800595d9d0:lsass.exe                        532    424      8    743 2016-05-11 03:25:18 UTC+0000
. 0xfffffa800596c360:lsm.exe                          540    424     11    211 2016-05-11 03:25:18 UTC+0000
 0xfffffa8004e68060:csrss.exe                         376    344      9    550 2016-05-11 03:25:14 UTC+0000
. 0xfffffa8003ece710:conhost.exe                     3752    376      0 ------ 2016-05-11 03:29:15 UTC+0000
. 0xfffffa800408d780:conhost.exe                     3276    376      2     35 2016-05-11 03:27:48 UTC+0000
 0xfffffa8003c6d9e0:System                              4      0     95    456 2016-05-11 03:25:04 UTC+0000
. 0xfffffa8004d2d7e0:smss.exe                         280      4      2     30 2016-05-11 03:25:05 UTC+0000
 0xfffffa8005813060:csrss.exe                         416    408     10    260 2016-05-11 03:25:16 UTC+0000
. 0xfffffa800680d060:conhost.exe                     2208    416      1     34 2016-05-11 03:26:51 UTC+0000
. 0xfffffa8003d6a060:conhost.exe                      796    416      3     52 2016-05-11 03:27:04 UTC+0000
 0xfffffa8005891630:winlogon.exe                      460    408      4    109 2016-05-11 03:25:17 UTC+0000
 0xfffffa80068bc060:explorer.exe                     1056    744     22    695 2016-05-11 03:26:50 UTC+0000
. 0xfffffa8003e42b30:cmd.exe                          312   1056      1     22 2016-05-11 03:27:04 UTC+0000
. 0xfffffa8003e746d0:firefox.exe                     2652   1056     52    569 2016-05-11 03:27:12 UTC+0000
. 0xfffffa8006931060:vmtoolsd.exe                    2152   1056      8    190 2016-05-11 03:26:50 UTC+0000
 0xfffffa80040c9b30:rundll32.exe                     3248   3216      3     61 2016-05-11 03:27:48 UTC+0000
. 0xfffffa8004e77b30:cmd.exe                         3268   3248      1     33 2016-05-11 03:27:48 UTC+0000

Ran pstree plugin to list processes in a tree format from the memory dump.

cmd.exe being executed from rundll32.exe was suspicious, so I submitted my finding in the flag format and it was correct

Flag: [3268][2016-05-11 03:27:48][3248]

Question 2: 100 pts

What permission level was achieved by the attacker?

The flag must be submitted in the following format: [Authenticated Users]

shadow# volatility -f memory_1.dmp --profile=Win7SP1x64 getsids -p 3248,3268
Volatility Foundation Volatility Framework 2.5
rundll32.exe (3248): S-1-5-18 (Local System)
rundll32.exe (3248): S-1-5-32-544 (Administrators)
rundll32.exe (3248): S-1-1-0 (Everyone)
rundll32.exe (3248): S-1-5-11 (Authenticated Users)
rundll32.exe (3248): S-1-16-16384 (System Mandatory Level)
cmd.exe (3268): S-1-5-18 (Local System)
cmd.exe (3268): S-1-5-32-544 (Administrators)
cmd.exe (3268): S-1-1-0 (Everyone)
cmd.exe (3268): S-1-5-11 (Authenticated Users)
cmd.exe (3268): S-1-16-16384 (System Mandatory Level)

Used volatility plugin getsids with PIDs of suspicious processes – 3248 for run32dll.exe and 3268 for cmd.exe and got permission level that was achieved by the attacker.

Flag: [Local System]

Question 3: 100 pts

What is the attacker’s IP and port, the PID of the process attached to the connection and is the connection still open?

The flag must be submitted in the following format: [IP:PORT][PID][N]

shadow# volatility -f memory_1.dmp --profile=Win7SP1x64 netscan             
Volatility Foundation Volatility Framework 2.5
Offset(P)          Proto    Local Address                  Foreign Address      State            Pid      Owner          Created
0x13d333ef0        TCPv4    0.0.0.0:47001                  0.0.0.0:0            LISTENING        4        System         
0x13d333ef0        TCPv6    :::47001                       :::0                 LISTENING        4        System         
0x13d4312c0        UDPv4    0.0.0.0:3702                   *:*                                   1016     svchost.exe    2016-05-11 03:26:59 UTC+0000
0x13d43b150        UDPv4    0.0.0.0:57821                  *:*                                   2584     svchost.exe    2016-05-11 03:26:59 UTC+0000
0x13d43b150        UDPv6    :::57821                       *:*                                   2584     svchost.exe    2016-05-11 03:26:59 UTC+0000
0x13d51b680        UDPv4    0.0.0.0:57823                  *:*                                   1016     svchost.exe    2016-05-11 03:26:59 UTC+0000
0x13d51b680        UDPv6    :::57823                       *:*                                   1016     svchost.exe    2016-05-11 03:26:59 UTC+0000
0x13d5622a0        UDPv6    fe80::b55c:3f7a:550e:645d:1900 *:*                                   2584     svchost.exe    2016-05-11 03:26:59 UTC+0000
0x13d593180        UDPv4    0.0.0.0:3702                   *:*                                   1016     svchost.exe    2016-05-11 03:26:59 UTC+0000
0x13d593180        UDPv6    :::3702                        *:*                                   1016     svchost.exe    2016-05-11 03:26:59 UTC+0000
0x13d6a39e0        UDPv4    0.0.0.0:3702                   *:*                                   2584     svchost.exe    2016-05-11 03:26:59 UTC+0000
0x13da948e0        UDPv4    0.0.0.0:0                      *:*                                   2848     svchost.exe    2016-05-11 03:27:00 UTC+0000
0x13da948e0        UDPv6    :::0                           *:*                                   2848     svchost.exe    2016-05-11 03:27:00 UTC+0000
0x13db64bb0        UDPv4    0.0.0.0:57822                  *:*                                   1016     svchost.exe    2016-05-11 03:26:59 UTC+0000
0x13db71ae0        UDPv4    0.0.0.0:3702                   *:*                                   2584     svchost.exe    2016-05-11 03:26:59 UTC+0000
0x13db71ae0        UDPv6    :::3702                        *:*                                   2584     svchost.exe    2016-05-11 03:26:59 UTC+0000
0x13dc52d00        UDPv4    192.168.136.131:1900           *:*                                   2584     svchost.exe    2016-05-11 03:26:59 UTC+0000
0x13dcbf540        UDPv4    192.168.136.131:57826          *:*                                   2584     svchost.exe    2016-05-11 03:26:59 UTC+0000
0x13dd6e400        UDPv4    0.0.0.0:3702                   *:*                                   1016     svchost.exe    2016-05-11 03:26:59 UTC+0000
0x13dd6e400        UDPv6    :::3702                        *:*                                   1016     svchost.exe    2016-05-11 03:26:59 UTC+0000
0x13ddc42a0        UDPv6    fe80::b55c:3f7a:550e:645d:57824 *:*                                   2584     svchost.exe    2016-05-11 03:26:59 UTC+0000
0x13ddf74a0        UDPv6    ::1:57825                      *:*                                   2584     svchost.exe    2016-05-11 03:26:59 UTC+0000
0x13d7c4150        TCPv4    0.0.0.0:5357                   0.0.0.0:0            LISTENING        4        System         
0x13d7c4150        TCPv6    :::5357                        :::0                 LISTENING        4        System         
0x13d60ccf0        TCPv4    192.168.136.131:0              104.244.42.136:0     LISTENING        -1                      
0x13dcb1cf0        TCPv4    192.168.136.131:0              52.34.121.74:0       LISTENING        -1                      
0x13de09d20        UDPv4    0.0.0.0:3702                   *:*                                   2584     svchost.exe    2016-05-11 03:26:59 UTC+0000
0x13de09d20        UDPv6    :::3702                        *:*                                   2584     svchost.exe    2016-05-11 03:26:59 UTC+0000
0x13dff85a0        UDPv4    0.0.0.0:3702                   *:*                                   2584     svchost.exe    2016-05-11 03:26:59 UTC+0000
0x13e147690        UDPv4    192.168.136.131:137            *:*                                   4        System         2016-05-11 03:25:35 UTC+0000
0x13e149010        UDPv4    0.0.0.0:0                      *:*                                   600      svchost.exe    2016-05-11 03:29:15 UTC+0000
0x13e149010        UDPv6    :::0                           *:*                                   600      svchost.exe    2016-05-11 03:29:15 UTC+0000
0x13e221010        UDPv4    0.0.0.0:5355                   *:*                                   600      svchost.exe    2016-05-11 03:29:15 UTC+0000
0x13e221010        UDPv6    :::5355                        *:*                                   600      svchost.exe    2016-05-11 03:29:15 UTC+0000
0x13e28b9c0        UDPv4    0.0.0.0:3702                   *:*                                   1016     svchost.exe    2016-05-11 03:26:59 UTC+0000
0x13e32bd00        UDPv6    ::1:1900                       *:*                                   2584     svchost.exe    2016-05-11 03:26:59 UTC+0000
0x13e3e5010        UDPv4    0.0.0.0:5355                   *:*                                   600      svchost.exe    2016-05-11 03:29:15 UTC+0000
0x13e58fa30        UDPv4    0.0.0.0:0                      *:*                                   2848     svchost.exe    2016-05-11 03:27:00 UTC+0000
0x13e58fa30        UDPv6    :::0                           *:*                                   2848     svchost.exe    2016-05-11 03:27:00 UTC+0000
0x13ded7480        TCPv4    0.0.0.0:3389                   0.0.0.0:0            LISTENING        600      svchost.exe    
0x13dee39e0        TCPv4    0.0.0.0:3389                   0.0.0.0:0            LISTENING        600      svchost.exe    
0x13dee39e0        TCPv6    :::3389                        :::0                 LISTENING        600      svchost.exe    
0x13df873a0        TCPv4    0.0.0.0:554                    0.0.0.0:0            LISTENING        2404     wmpnetwk.exe   
0x13dff3840        TCPv4    0.0.0.0:10243                  0.0.0.0:0            LISTENING        4        System         
0x13dff3840        TCPv6    :::10243                       :::0                 LISTENING        4        System         
0x13e0cf270        TCPv4    0.0.0.0:49155                  0.0.0.0:0            LISTENING        532      lsass.exe      
0x13e0cf270        TCPv6    :::49155                       :::0                 LISTENING        532      lsass.exe      
0x13e0d1d90        TCPv4    0.0.0.0:49155                  0.0.0.0:0            LISTENING        532      lsass.exe      
0x13e1d4850        TCPv4    0.0.0.0:49156                  0.0.0.0:0            LISTENING        524      services.exe   
0x13e1d4850        TCPv6    :::49156                       :::0                 LISTENING        524      services.exe   
0x13e1d4ef0        TCPv4    0.0.0.0:49156                  0.0.0.0:0            LISTENING        524      services.exe   
0x13e1e6a90        TCPv4    0.0.0.0:445                    0.0.0.0:0            LISTENING        4        System         
0x13e1e6a90        TCPv6    :::445                         :::0                 LISTENING        4        System         
0x13e224010        TCPv4    192.168.136.131:139            0.0.0.0:0            LISTENING        4        System         
0x13e274280        TCPv4    0.0.0.0:135                    0.0.0.0:0            LISTENING        716      svchost.exe    
0x13e274280        TCPv6    :::135                         :::0                 LISTENING        716      svchost.exe    
0x13e274e70        TCPv4    0.0.0.0:135                    0.0.0.0:0            LISTENING        716      svchost.exe    
0x13e27f4a0        TCPv4    0.0.0.0:49152                  0.0.0.0:0            LISTENING        424      wininit.exe    
0x13e284ad0        TCPv4    0.0.0.0:49152                  0.0.0.0:0            LISTENING        424      wininit.exe    
0x13e284ad0        TCPv6    :::49152                       :::0                 LISTENING        424      wininit.exe    
0x13e2c0d70        TCPv4    0.0.0.0:49153                  0.0.0.0:0            LISTENING        816      svchost.exe    
0x13e2c2830        TCPv4    0.0.0.0:49153                  0.0.0.0:0            LISTENING        816      svchost.exe    
0x13e2c2830        TCPv6    :::49153                       :::0                 LISTENING        816      svchost.exe    
0x13e377a70        TCPv4    0.0.0.0:2869                   0.0.0.0:0            LISTENING        4        System         
0x13e377a70        TCPv6    :::2869                        :::0                 LISTENING        4        System         
0x13e3fd5d0        TCPv4    0.0.0.0:49154                  0.0.0.0:0            LISTENING        872      svchost.exe    
0x13e3ffb50        TCPv4    0.0.0.0:49154                  0.0.0.0:0            LISTENING        872      svchost.exe    
0x13e3ffb50        TCPv6    :::49154                       :::0                 LISTENING        872      svchost.exe    
0x13dedb860        TCPv6    -:0                            e8d9:c603:80fa:ffff:e8d9:c603:80fa:ffff:0 CLOSED           1016     svchost.exe    
0x13e274670        TCPv4    -:0                            168.100.166.5:0      CLOSED           5        #v?#????       
0x13e3d16f0        TCPv4    192.168.136.131:49189          192.168.136.134:41367 CLOSED           3248     rundll32.exe   
0x13ef88950        UDPv4    0.0.0.0:57820                  *:*                                   2584     svchost.exe    2016-05-11 03:26:59 UTC+0000
0x13ef8f650        UDPv4    127.0.0.1:57827                *:*                                   2584     svchost.exe    2016-05-11 03:26:59 UTC+0000
0x13f05b010        UDPv4    127.0.0.1:1900                 *:*                                   2584     svchost.exe    2016-05-11 03:26:59 UTC+0000
0x13efad380        TCPv4    -:0                            104.64.127.6:0       CLOSED           4        System         
0x13fe155c0        UDPv4    0.0.0.0:0                      *:*                                   2848     svchost.exe    2016-05-11 03:27:11 UTC+0000
0x13fe155c0        UDPv6    :::0                           *:*                                   2848     svchost.exe    2016-05-11 03:27:11 UTC+0000
0x13fe1e910        UDPv4    0.0.0.0:3540                   *:*                                   2848     svchost.exe    2016-05-11 03:27:11 UTC+0000
0x13fe1e910        UDPv6    :::3540                        *:*                                   2848     svchost.exe    2016-05-11 03:27:11 UTC+0000
0x13fecbec0        UDPv4    192.168.136.131:68             *:*                                   816      svchost.exe    2016-05-11 03:29:15 UTC+0000
0x13fee5710        UDPv4    0.0.0.0:63639                  *:*                                   1016     svchost.exe    2016-05-11 03:27:24 UTC+0000
0x13ff16470        UDPv4    0.0.0.0:5004                   *:*                                   2404     wmpnetwk.exe   2016-05-11 03:27:00 UTC+0000
0x13ff16470        UDPv6    :::5004                        *:*                                   2404     wmpnetwk.exe   2016-05-11 03:27:00 UTC+0000
0x13ff16ad0        UDPv4    0.0.0.0:5005                   *:*                                   2404     wmpnetwk.exe   2016-05-11 03:27:00 UTC+0000
0x13ff16d70        UDPv4    0.0.0.0:5004                   *:*                                   2404     wmpnetwk.exe   2016-05-11 03:27:00 UTC+0000
0x13ff18ec0        UDPv4    0.0.0.0:5005                   *:*                                   2404     wmpnetwk.exe   2016-05-11 03:27:00 UTC+0000
0x13ff18ec0        UDPv6    :::5005                        *:*                                   2404     wmpnetwk.exe   2016-05-11 03:27:00 UTC+0000
0x13ffce890        UDPv4    0.0.0.0:63640                  *:*                                   1016     svchost.exe    2016-05-11 03:27:24 UTC+0000
0x13ffce890        UDPv6    :::63640                       *:*                                   1016     svchost.exe    2016-05-11 03:27:24 UTC+0000
0x13ff1c900        TCPv4    0.0.0.0:554                    0.0.0.0:0            LISTENING        2404     wmpnetwk.exe   
0x13ff1c900        TCPv6    :::554                         :::0                 LISTENING        2404     wmpnetwk.exe   
0x13ff1d6b0        TCPv4    0.0.0.0:5985                   0.0.0.0:0            LISTENING        4        System         
0x13ff1d6b0        TCPv6    :::5985                        :::0                 LISTENING        4        System         
0x13ff282f0        TCPv4    0.0.0.0:3587                   0.0.0.0:0            LISTENING        2848     svchost.exe    
0x13ff282f0        TCPv6    :::3587                        :::0                 LISTENING        2848     svchost.exe    
0x13fe69010        TCPv6    -:0                            e8d9:c603:80fa:ffff:e8d9:c603:80fa:ffff:0 CLOSED           1016     svchost.exe    
0x13fe6b6f0        TCPv4    -:49164                        52.34.245.108:443    CLOSED           2652     firefox.exe    
0x13fe96010        TCPv4    127.0.0.1:49162                127.0.0.1:49163      ESTABLISHED      2652     firefox.exe    
0x13fe98be0        TCPv4    127.0.0.1:49163                127.0.0.1:49162      ESTABLISHED      2652     firefox.exe    
0x13feb0880        TCPv6    -:0                            e8d9:c603:80fa:ffff:e8d9:c603:80fa:ffff:0 CLOSED           2652     firefox.exe    
0x13fee6010        TCPv4    -:49174                        216.58.199.67:443    CLOSED           2652     firefox.exe    
0x13feecc50        TCPv4    192.168.136.131:49165          192.168.136.254:443  CLOSED           2652     firefox.exe    
0x13fefdcf0        TCPv4    192.168.136.131:49179          54.192.135.254:443   CLOSED           2652     firefox.exe    
0x13ff56a90        TCPv4    192.168.136.131:49181          109.233.56.78:443    CLOSED           2652     firefox.exe    
0x13ff77010        TCPv6    -:0                            c826:ad05:80fa:ffff:c826:ad05:80fa:ffff:0 CLOSED           2652     firefox.exe    
0x13ff77cf0        TCPv4    -:49166                        202.7.205.158:443    CLOSED           2652     firefox.exe    
0x13ff78010        TCPv4    -:49172                        216.58.199.67:443    CLOSED           2652     firefox.exe    
0x13ff81700        TCPv4    192.168.136.131:0              216.58.199.78:0      LISTENING        -1                      
0x13ff87210        TCPv4    -:0                            200.38.173.5:0       CLOSED           2652     firefox.exe    
0x13ffafcf0        TCPv4    192.168.136.131:49175          216.58.199.78:443    CLOSED           2652     firefox.exe    
0x13ffb9cf0        TCPv4    192.168.136.131:49182          109.233.56.78:443    CLOSED           2652     firefox.exe    

For this task, ran another volatility plugin netscan to get network information from the memory dump. Found a connection from another machine within the same network 192.168.136.0/24 which executed rundll32.exe

Flag: [192.168.136.134:41367][3248][N]

Question 4: 100 pts

What file was modified?

The answer must be submitted in the following format: [C:\flag.txt]

shadow# volatility -f memory_1.dmp --profile=Win7SP1x64 procdump -D dump/ -p 3268
Volatility Foundation Volatility Framework 2.5
Process(V)         ImageBase          Name                 Result
------------------ ------------------ -------------------- ------
0xfffffa8004e77b30 0x0000000049fa0000 cmd.exe              OK: executable.3268.exe
shadow# ls dump      
executable.3268.exe
shadow# strings dump/executable.3268.exe| grep -B1 "txt"
C:\Users\vagrant\Documents\vault>
" > 6.txt

Used procdump plugin to dump PID 3268 to a directory “dump”. Then ran strings on the executable looked for “txt” got “> 6.txt”, then did a grep to list one line before that and found the exact path of the txt file.

Flag: [C:\Users\vagrant\Documents\vault\6.txt]

Question 5: 100 pts

What is the attackers flag?

The answer must be submitted in the following format: flag{example_flag}

shadow# strings memory_1.dmp | grep "6.txt"
" > 6.txt
6.txt
v6&txtD
6.txt
Wii!CBS_microsoft-windows-client-drivers-package~31bf3856ad364e35~am_ce5d193fb7f62e46rtxt
type 6.txt
echo "flag{N3Xt_t1m3_l3t_1337_BU1lD}" > 6.txt
type 6.txt
t>lD}" > 6.txt
shadow# 

Now we know the file name is 6.txt, ran strings on memory dump and grepped for 6.txt and found the flag.

Flag: flag{N3Xt_t1m3_l3t_1337_BU1lD}

Leave a Reply

Your email address will not be published. Required fields are marked *