Malware 1/3

forensics memory linux FCSC 2021 solved on

star star

Description

This challenge has been split into three independent steps, but the logical order is as follows: forensics (1) -> pwn (2) -> reverse (3).

/!\ Warning: the attached memory image contains a program that encrypts the file /home/%USER%/Desktop/flag.txt /!\

Oh no! Your precious file flag.txt on your desktop seems to have been encrypted by a malicious program… Your first reaction was to perform a memory dump, maybe the malware was still running…

Note: the flag follows the format FCSC{sha256(username:hostname:cmdline)}, where username is the name of the user who ran the malware, hostname is the name of the machine on which it has been executed and cmdline is the complete command line that was executed to run the malware.

Files

  • snapshot.sav.tar.xz
    153.93 MiB – 3b87d85f0c748186643f440f162c19f64f9f8d0dce2c3d43d2d07f8ca33e5ffa

Author

\E

Flag

Share my success on Fediverse, Twitter, Linkedin, Facebook, or via email.

Submit your solution

You can submit your writeup for this challenge. Read the FAQ to learn how to proceed.

You need to be logged in to submit a writeup.

Writeups

I've been looking for a long time and I still can't find the flag!

You can vote for the solutions you prefer by using the on their respective pages.

DateAuthor Language Tags Vote
2024-05-03
lrstx
🇫🇷