Box Name → DumpMe

Box Link → https://cyberdefenders.org/blueteam-ctf-challenges/65

Author → Champlain College

Description → One of the SOC analysts took a memory dump from a machine infected with a meterpreter malware. As a Digital Forensicators, your job is to analyze the dump, extract the available indicators of compromise (IOCs) and answer the provided questions.


Download the zip file. Unzip the file with password → “cyberdefenders.org”

NOTE: For this room I’m going to use Volatility 2.6. I have another writeup for Volatility if you want to check that out.

Challenge Questions

Q1. What is the SHA1 hash of Triage-Memory.mem (memory dump)?

A. c95e8cc8c946f95a109ea8e47a6800de10a27abd

shasum Triage-Memory.mem

Q2. What volatility profile is the most appropriate for this machine? (ex: Win10x86_14393)

A. Win7SP1x64

./volatility -f "/home/avi/Downloads/vol/Triage-Memory.mem" imageinfo

Q3. What was the process ID of notepad.exe?

A. 3032

./volatility -f "/home/avi/Downloads/vol/Triage-Memory.mem" --profile=Win7SP1x64 pslist | grep notepad.exe

Q4. Name the child process of wscript.exe

A. 3032

./volatility -f "/home/avi/Downloads/vol/Triage-Memory.mem" --profile=Win7SP1x64 pstree

Q5. What was the IP address of the machine at the time the RAM dump was created?


./volatility -f "/home/avi/Downloads/vol/Triage-Memory.mem" --profile=Win7SP1x64 netscan

Q6. Based on the answer regarding the infected PID, can you determine the IP of the attacker?


./volatility -f "/home/avi/Downloads/vol/Triage-Memory.mem" --profile=Win7SP1x64 netscan

Q7. How many processes are associated with VCRUNTIME140.dll?

A. 5

NOTE: For some reason its not showing all the Process. I did some research but couldn’t find a solution. I will update the write up if i find a solution.

Q8. After dumping the infected process, what is its md5 hash?

A. 690ea20bc3bdfb328e23005d9a80c290

./volatility -f "/home/avi/Downloads/vol/Triage-Memory.mem" --profile=Win7SP1x64 procdump -p 3496 --dump-dir "/home/avi/Downloads/vol/”

Q9. What is the LM hash of Bob’s account?

A. aad3b435b51404eeaad3b435b51404ee

/volatility -f "/home/avi/Downloads/vol/Triage-Memory.mem" --profile=Win7SP1x64 hashdump

Q10. What memory protection constants does the VAD node at 0xfffffa800577ba10 have?


./volatility -f "/home/avi/Downloads/vol/Triage-Memory.mem" --profile=Win7SP1x64 vadinfo | grep 0xfffffa800577ba10 -A 6

Q11. What memory protection did the VAD starting at 0x00000000033c0000 and ending at 0x00000000033dffff have?


./volatility -f "/home/avi/Downloads/vol/Triage-Memory.mem" --profile=Win7SP1x64 vadinfo | grep 0x00000000033c0000 -A 6

Q12. There was a VBS script that ran on the machine. What is the name of the script? (submit without file extension)

A. vhjReUDEuumrX

./volatility -f "/home/avi/Downloads/vol/Triage-Memory.mem" --profile=Win7SP1x64 cmdline

Q13. An application was run at 2019-03-07 23:06:58 UTC. What is the name of the program? (Include extension)

A. Skype.exe

./volatility -f "/home/avi/Downloads/vol/Triage-Memory.mem" --profile=Win7SP1x64 shimcache | grep "2019-03-07 23:06:58"

Q14. What was written in notepad.exe at the time when the memory dump was captured?

***A. flag***

./volatility -f "/home/avi/Downloads/vol/Triage-Memory.mem" --profile=Win7SP1x64 memdump -p 3032 --dump-dir "/home/avi/Downloads/vol/”

strings -e l "/home/avi/Downloads/vol/3032.dmp" | grep 'flag<’

Q15. What is the short name of the file at file record 59045?


./volatility -f "/home/avi/Downloads/vol/Triage-Memory.mem" --profile=Win7SP1x64 mftparser | grep "Record Number: 59045" -A 20

Q16. This box was exploited and is running meterpreter. What was the infected PID?

A. 3496

updated_at 16-07-2022