Another CTF writeup from PoseidonCTF by @sousselovectf
We (ByteForc3) got the first blood on this challenge. It was a memory forensics challenge. Starting off with usual Volatility
imageinfo to get the profile.
Now as the description said about passwords , Firefox and Google products, So used the obvious plugins. (
firefoxhistory and the well known
Chrome gave a bunch of googledrive links
https://drive.google.com/file/d/1jYpvi9Va8be022G1SL4xUpEmZoknveTd/view (A encrypted keepass db). Also Firefox plugin gave no output :( and mimikatz gave the password for the user
PoseidonCTF:dVi29Tv8 . (password will be of use in later part :ok)
But this password was not enough to unlock the keepass db. So on further play with volatility plugins.
consoles gave a pretty much hint to proceed further.
I cant paste the binary in recyle bin . Now this part contained references to
pastebin (the paste and the binary part). Also the password above looked same as pastebin’s bin ID
Now this had strings seperated by newline and contained a password for the keepass db.
keepass2john and JTR with the wordlist above gave us the password.
Opening the db in keepassXC.
Now all the passwords were the pastebin ID’s (also joining all the usernames makes
Pastebin/KEY . Now one of the ID had flag and rest were just trolls.
rtLPrXqL this had the real flag image (b64 encoded).