Challenge Description
We received this memory dump from our client recently. Someone accessed his system when he was not there and he found some rather strange files being accessed. Find those files and they might be useful. I quote his exact statement,
The names were not readable. They were composed of alphabets and numbers but I wasn't able to make out what exactly it was.
Also, he noticed his most loved application that he always used crashed every time he ran it. Was it a virus?
Note-1: This challenge is composed of 3 flags. If you think 2nd flag is the end, it isn’t!! :P
Note-2: There was a small mistake when making this challenge. If you find any string which has the string “L4B_3_D0n3!!” in it, please change it to “L4B_5_D0n3!!” and then proceed.
Note-3: You’ll get the stage 2 flag only when you have the stage 1 flag.
First step let’s get the image info
In second step I use pslist command for listing processes and I found these suspicious procceses for now
cmdscan and consoles commands didn’t show anything the I used pstree command and here I can see that some of our suspicious processes TCPSVCS.exe and WerFault.exe triggered by services.exe
With cmdline command I found a rar file, I am going to try dump this file
Here I found and dumped the file
Okey this rar archive is password protected I will use envars command
envars command and some other commands doesn’t help with password but I found a file with iehistory command. The name of this file looks like and encrypted string let’st decode it.
And here! There is a flag “flag{!!w3LL_d0n3_St4g3-1_0f_L4B_5_D0n3!!}“. The description says that there are 3 flags in this lab and we cannot pass to the 2nd stage without the first flag. If we are lucky this is the first flag
Yes! The first flag is the password for rar archive
There was only an image file in the rar archive and I find second flag but description says we have one more flag
For the last stage I am going to inverstigate another suspicious process NOTEPAD.exe
I found and dumped the suspicious exe and here I dumped 3 files (I changed names to write easily)
file.dat was the file we were looking for. This was an .exe actually. So I tried to analyze exe. I used different PE analysis tools, string scanning tools and Detect-It-Easy but I can’t find anything. After these attempts I decided to start reverse engineering. After spending some time in Ghidra and IDA Free I found the flag with IDA Graph View. The last flag was “bios{M3m_l4B5_OVeR_!}”
