10.12.2018


GVTs - wearegvts.com
OtterCTF - Memory Forensics - “Silly Rick”

Volatility is a useful tool for memory forensics.


First, we need to get the profile:
./vol.py -f OtterCTF.vmem imageinfo
Suggested Profile(s) : Win7SP1x64, Win7SP0x64, Win2008R2SP0x64, Win2008R2SP1x64_24000, Win2008R2SP1x64_23418, Win2008R2SP1x64, Win7SP1x64_24000, Win7SP1x64_23418

Challenge says “Silly rick always forgets his email's password, so he uses a Stored Password Services online to store his password. He always copy and paste the password so he will not get it wrong. whats rick's email password?”.

Password must be in the clipboard:
./vol.py -f OtterCTF.vmem --profile=Win7SP1x64 clipboard
Volatility Foundation Volatility Framework 2.6
Session    WindowStation Format                         Handle Object             Data                                          
---------- ------------- ------------------ ------------------ ------------------ --------------------------------------------------
        1 WinSta0       CF_UNICODETEXT                0x602e3 0xfffff900c1ad93f0 M@il_Pr0vid0rs                                    
        1 WinSta0       CF_TEXT                          0x10 ------------------                                                  
        1 WinSta0       0x150133L              0x200000000000 ------------------                                                  
        1 WinSta0       CF_TEXT                           0x1 ------------------                                                  
        1 ------------- ------------------           0x150133 0xfffff900c1c1adc0                                    

So the flag is:
CTF{M@il_Pr0vid0rs}