MemLabs - Lab6

3 minute read

Challenge Description

Note: This challenge is composed of 1 flag.

The flag format for this lab is: inctf{s0me_l33t_Str1ng}

Challenge file: MemLabs_Lab6

First we need to identify the operating system of the memory image.

$ volatility -f MemoryDump_Lab6.raw imageinfo


Next, let’s check the running processes.

$ volatility -f MemoryDump_Lab6.raw --profile Win7SP1x64 pslist


We can see some interesting processes here like WinRAR, chrome and firefox so let’s start with WinRAR.

$ volatility --plugins=plugins/ -f MemoryDump_Lab6.raw --profile Win7SP1x64 cmdline | grep WinRAR.exe
Volatility Foundation Volatility Framework 2.6.1
WinRAR.exe pid:   3716
Command line : "C:\Program Files\WinRAR\WinRAR.exe" "C:\Users\Jaffa\Desktop\pr0t3ct3d\flag.rar"

Oh, that file name is interesting, let’s dump it.

$ volatility -f MemoryDump_Lab6.raw --profile Win7SP1x64 filescan | grep flag.rar
Volatility Foundation Volatility Framework 2.6.1
0x000000005fcfc4b0     16      0 R--rwd \Device\HarddiskVolume2\Users\Jaffa\Desktop\pr0t3ct3d\flag.rar

$ volatility -f MemoryDump_Lab6.raw --profile Win7SP1x64 dumpfiles -Q 0x000000005fcfc4b0 -D lab6_output/
Volatility Foundation Volatility Framework 2.6.1
DataSectionObject 0x5fcfc4b0   None   \Device\HarddiskVolume2\Users\Jaffa\Desktop\pr0t3ct3d\flag.rar

Next, let’s try to unrar it.

$ unrar e flag.rar 
UNRAR 5.61 beta 1 freeware      Copyright (c) 1993-2018 Alexander Roshal
Extracting from flag.rar
Enter password (will not be echoed) for flag2.png: 

Of course it’s encrypted :(

Let’s take a step back and try more plugins.

$ volatility --plugins=plugins/ -f MemoryDump_Lab6.raw --profile Win7SP1x64 consoles


I noticed the author is running env command, I suspect it’s a hint for us.

So let’s try dumping the environment variables for WinRAR.


Awesome, not we now that the rar password is: easypeasyvirus.

$ unrar e flag.rar 
UNRAR 5.61 beta 1 freeware      Copyright (c) 1993-2018 Alexander Roshal
Extracting from flag.rar
Enter password (will not be echoed) for flag2.png: 
Extracting  flag2.png                                                 OK 
All OK


Great, that looks like the second half of the flag.

Second half: aN_Am4zINg_!_i_gU3Ss???_}

Let’s return back the the chrome process, the first thing is to check the browsing history.

This amazing github repo has the plugin we need: Volatility-Plugins

$ volatility --plugins=plugins/ -f MemoryDump_Lab6.raw --profile Win7SP1x64 chromehistory > chromehistory.txt

Scrolling through the history dump, I notices a pastebin link (


Here is what I found.


There is a link to a google drive doc along with the note David sent the key in mail.

The doc file is just some lorem ipsum text, but if you look carefully you can see a mega link (took me a while).


Let’s see what this mega link has.


Another password, I hate my life :(

At this point I got stuck, so I tried every volatility plugin I know about. Then the magic happened.

The screenshot plugin saved the day.

$ volatility --plugins=plugins/ -f MemoryDump_Lab6.raw --profile Win7SP1x64 screenshot -D lab6_output

It dumped 13 images, all of them are just white images except for this one.


There is a windows with the title Mega Drive Key ...., that looks promising. so let’s search for this string in memory.

$ strings MemoryDump_Lab6.raw | grep "Mega Drive Key"
Mega Drive Key - - Gmail
top['GM_TRACING_THREAD_DETAILS_CHUNK_START'] = (window.performance && ? : null; top._GM_setData({"Cl6csf":[["simls",0,"{\"2\":[{\"1\":0,\"2\":{\"1\":\"Mega Drive Key\",\"2\":\"THE KEY IS zyWxCjCYYSEMA-hZe552qWVXiPwa5TecODbjnsscMIU\"

Look at that, we got the key (a good pair of eyes required). the key is: zyWxCjCYYSEMA-hZe552qWVXiPwa5TecODbjnsscMIU.

After decrypting the file, it turned out to be an image. but unfortunately it was corrupted.

Opening it with hexedit, the IHDR part was corrupted (iHDR). so all we need to do is to change i (69) to I (49).


Finally we got the first part of the flag, that was a long journey.


Flag: inctf{thi5cH4LL3Ng3_!s_g0nn4_b3_?_aN_Am4zINg_!_i_gU3Ss???}