Resolution :
First of all, we have a file ”snapshot.sav” wich is a memory dump. We know that this file contains a program which can encrypt ”/home/%USER%/Desktop/flag.txt”. That means it’s a linux memory dump. We need to find the username, the hostname and the command line which encrypts the flag. Let’s try to find command line with strings and key words using grep like malware,admin,fcsc and with fcsc we have an interesting output :
strings snapshot . sav | grep ”fcsc”
output :
[ some strings ]
forensics@fcsc2021: ~/Bureau
[ some strings ]
This output looks like a shell command prompt so let’s try with forensics@fcsc2021: :
strings snapshot.sav | grep "forensics@fcsc2021:"
output :
[ some lines ]
forensics@fcsc2021:~/Bureau$ /bin/1 --client -i 192.168.56.103
[ some lines ]
All lines look normal except this line : ”forensics@fcsc2021: /Bureau$ /bin/1 –client -i 192.168.56.103”.
Moreover /bin/1 isn’t a current command…
So we have our hostname : fcsc2021, our username : forensics and our command line : /bin/1 –client -i 192.168.56.103
python3 -c "import hashlib;print('FCSC{'+hashlib.sha256(b'forensics:fcsc2021:/bin/1 --client -i 192.168.56.103').hexdigest()+'}')"
output :
FCSC{...}
We have our flag and it works !