Magnet Weekly CTF Challenge Week 11 Writeup - Killing Two Birds With One Stone

The challenge of this week was a standard 2-parter. Even though it was not a lengthy challenge, I had learnt that one could reconstruct network pcaps from a memory image. 😁

Upon reading the question, I was initially puzzled by it. Nonetheless, I still tried to look for the answer from the Volatility netscan output and tried dumping the "C:\Windows\System32\drivers\etc\hosts" file from memory. Sadly , none of these two paths gave me any answer.

Things took an unexpected turn when I was reading other participants' week 10 writeups, some interesting content from Stark4n6's writeup caught my attention. In that writeup, he referenced an articl
e that talked about reconstructing network pcaps from a memory image.

Using the "bulk_extractor64.exe -x all -e net -o test/ memdump.mem"  command, a packets.pcap file would be obtained. 

Wireshark could open the packets.pcap file and the answer ( could be seen immediately.

Part 2 of the challenge could also be solved easily as it asked:

The answer to part 2 ( could also be seen immediately from the same Wireshark screenshot. 


Popular posts from this blog

An Android Casting (Device) Story: "cast.db"

Magnet Weekly CTF Challenge Week 5 Writeup a.k.a. Fun with Hadoop

Magnet Weekly CTF Challenge Week 12 Writeup - Last But Not Least