Another CTF writeup from PoseidonCTF by @sousselovectf


We (ByteForc3) got the first blood on this challenge. It was a memory forensics challenge. Starting off with usual Volatility imageinfo to get the profile.

Now as the description said about passwords , Firefox and Google products, So used the obvious plugins. (chromehistory, firefoxhistory and the well known mimikatz :P)

Chrome gave a bunch of googledrive links (A encrypted keepass db). Also Firefox plugin gave no output :( and mimikatz gave the password for the user PoseidonCTF:dVi29Tv8 . (password will be of use in later part :ok)

But this password was not enough to unlock the keepass db. So on further play with volatility plugins. consoles gave a pretty much hint to proceed further.

I cant paste the binary in recyle bin . Now this part contained references to pastebin (the paste and the binary part). Also the password above looked same as pastebin’s bin ID dVi29Tv8.

And it was correct :wink .

Now this had strings seperated by newline and contained a password for the keepass db. keepass2john and JTR with the wordlist above gave us the password.

Opening the db in keepassXC.

Now all the passwords were the pastebin ID’s (also joining all the usernames makes Pastebin/KEY . Now one of the ID had flag and rest were just trolls.

rtLPrXqL this had the real flag image (b64 encoded).