10.12.2018


GVTs - wearegvts.com
OtterCTF - Memory Forensics - “Play Time”

Volatility is a useful tool for memory forensics.

First, we need to get the profile:
./vol.py -f OtterCTF.vmem imageinfo
Suggested Profile(s) : Win7SP1x64, Win7SP0x64, Win2008R2SP0x64, Win2008R2SP1x64_24000, Win2008R2SP1x64_23418, Win2008R2SP1x64, Win7SP1x64_24000, Win7SP1x64_23418

We need to look into the connections of this host.
./vol.py -f OtterCTF.vmem --profile=Win7SP1x64 netscan

You’ll see a bunch of connections. But one of them is what we are looking for:
0x7d6124d0         TCPv4    192.168.202.131:49530          
77.102.199.102:7575  CLOSED           708      LunarMS.exe

So flags are:
CTF{LunarMS}
CTF{77.102.199.102}