NahamCon CTF 2023 How i solved Raided Digital Forensics without volatility

In this post, I’ll be describing how I solved Raided without volatility

Second Blood

After reading the description we knew its memory image and used to stage attacks and hacker was accessing other systems.

Starting investigation…

its captured from kali

i will use bulk_extractor to extract more data

bulk_extractor -o ./xxx raided-challenge-dump-vmem

-o output

raided-challenge-dump-vmem file name

i got packets.pcap let’s analysis it

i will use tshark to analysis it you can use wireshark

tshark -r packets.pcap

-r set the filename to read from

we found ssh connection 167.172.12.154

i used ping 167.172.12.154 to check if live or not, i got response

we retrieved some command from history of .zsh_history

ssh -i ~/.ssh/id_ed25519 l33t@167.172.12.154

its command to connect with server using private key ~/.ssh/id_ed25519

and user l33t

server ip 167.172.12.154

we can retrieve private key we can use binwalk binwalk — dd=”.*” -C 193056208 -N id_ed25519 raided-challenge-dump-vmem or strings

• strings raided-challenge-dump-vmem | grep “PRIVATE KEY” -A 10
• we know a header of private keys its begin with
• — — -BEGIN RSA PRIVATE KEY — — -
• — — -BEGIN OPENSSH PRIVATE KEY — — -

but i searched using PRIVATE KEY — — — because if we remember file name of ssh is id_ed25519 header will be — — -BEGIN OPENSSH PRIVATE KEY — — -

- note : this command to generate key not to solve ssh-keygen -t ed25519 -f ed25519_key to gene

now try to connect

flag{654e9dc4c424e25423c19c5e64fffb27}

Resource:

https://www.digitalguardian.com/blog/what-are-memory-forensics-definition-memory-forensics

How to Use the strings Command on Linux

How to Use the grep Command on Linux

https://forensics.wiki/bulk_extractor/

tshark(1)

https://www.ssh.com/academy/ssh/command