From a621ab5293863e0f8947eb6c00aa2835328df9d2 Mon Sep 17 00:00:00 2001
From: bl4ck4non <67879936+BlackAnon22@users.noreply.github.com>
Date: Sat, 25 May 2024 17:29:10 +0100
Subject: [PATCH] Update africa_cyberfest.md

---
 posts/CTF Competitions/africa_cyberfest.md | 56 +++++++++++++++++++++-
 1 file changed, 55 insertions(+), 1 deletion(-)

diff --git a/posts/CTF Competitions/africa_cyberfest.md b/posts/CTF Competitions/africa_cyberfest.md
index 3c05291..85aa6b6 100644
--- a/posts/CTF Competitions/africa_cyberfest.md	
+++ b/posts/CTF Competitions/africa_cyberfest.md	
@@ -639,10 +639,64 @@ Now this is more detailed, the first time we checked the proccess running we fou
 
 One thing we can do here is try to dump the process, to do this I actually didn't use volatility3, I used volatility2 and this is because of the ```memdump``` plugin. You can get volatility2 [here](https://github.com/volatilityfoundation/volatility)
 
-command:```python3 vol.py -f ../../../../Downloads/CTF/africa_cyberfest/forensics/mem_mem_meme\?/challenge.vmem windows.dumpfiles.DumpFiles --pid 3044```
+To use volatility2 we'll need the memory profile, we can get this using the ```imageinfo``` plugin
 
+command:```python2 vol.py -f ../../../../Downloads/CTF/africa_cyberfest/forensics/mem_mem_meme\?/challenge.vmem imageinfo```
 
+```
+INFO    : volatility.debug    : Determining profile based on KDBG search...
+          Suggested Profile(s) : Win7SP1x64, Win7SP0x64, Win2008R2SP0x64, Win2008R2SP1x64_24000, Win2008R2SP1x64_23418, Win2008R2SP1x64, Win7SP1x64_24000, Win7SP1x64_23418
+                     AS Layer1 : WindowsAMD64PagedMemory (Kernel AS)
+                     AS Layer2 : FileAddressSpace (/home/bl4ck4non/Downloads/CTF/africa_cyberfest/forensics/mem_mem_meme?/challenge.vmem)
+                      PAE type : No PAE
+                           DTB : 0x187000L
+                          KDBG : 0xf80002a510a0L
+          Number of Processors : 2
+     Image Type (Service Pack) : 1
+                KPCR for CPU 0 : 0xfffff80002a52d00L
+                KPCR for CPU 1 : 0xfffff880009ef000L
+             KUSER_SHARED_DATA : 0xfffff78000000000L
+           Image date and time : 2024-04-25 07:59:23 UTC+0000
+     Image local date and time : 2024-04-25 08:59:23 +0100
+```
+You should get that output, we have different profiles here, lets go with this profile ```Win7SP1x64```
+
+Now that we've goten the profile lets use the memdump plugin to help us dump the ```notepad.exe``` process
+
+command:```python2 vol.py -f ../../../../Downloads/CTF/africa_cyberfest/forensics/mem_mem_meme\?/challenge.vmem --profile=Win7SP1x64 memdump --dump-dir=/home/bl4ck4non/Downloads/CTF/africa_cyberfest/forensics/mem_mem_meme\?/ -p 3044```
+
+```--dump-dir```  specifies the directory where the dumped memory will be saved, in this case, a directory named "/home/bl4ck4non/Downloads/CTF/africa_cyberfest/forensics/mem_mem_meme\?/"
+```-p``` specifies the PID of the process for which to extract the memory dump
+
+```
+β”Œβ”€β”€(bl4ck4nonπŸ‘½bl4ck4non-sec)-[~/Documents/Tools/forensics/volatility]
+└─$ python2 vol.py -f ../../../../Downloads/CTF/africa_cyberfest/forensics/mem_mem_meme\?/challenge.vmem --profile=Win7SP1x64 memdump --dump-dir=/home/bl4ck4non/Downloads/CTF/africa_cyberfest/forensics/mem_mem_meme\? -p 3044  
+Volatility Foundation Volatility Framework 2.6.1
+************************************************************************
+Writing notepad.exe [  3044] to 3044.dmp
+```
+Nice, now lets get our flag
+
+```
+β”Œβ”€β”€(bl4ck4nonπŸ‘½bl4ck4non-sec)-[~/…/CTF/africa_cyberfest/forensics/mem_mem_meme?]
+└─$ ls -la 3044.dmp          
+-rw-r--r-- 1 bl4ck4non bl4ck4non 209444864 May 25 17:18 3044.dmp
+                                                                                                                                                                                                                   
+β”Œβ”€β”€(bl4ck4nonπŸ‘½bl4ck4non-sec)-[~/…/CTF/africa_cyberfest/forensics/mem_mem_meme?]
+└─$ file 3044.dmp              
+3044.dmp: Windows Event Trace Log
+```
+All that's left is to grep the flag out
+
+command:```strings 3044.dmp | grep -i "actf"```
+
+![image](https://github.com/BlackAnon22/BlackAnon22.github.io/assets/67879936/ca1cc2df-3f29-4bd3-8bd6-da2d61c26805)
+
+Yup, that's our flag
+
+FLAG:-```ACTF{Sh4d0w_1nc1d3nt_C0mp1ic4t10n}```
 
+### Intended Method
 
 ---------------------------------------------