Table of contents

  1. PearlCTF 2024: The-3-Fragmenteers [Forensics] WriteUp
  2. The Challenge
  3. Getting Started with Volatility3
  4. Scanning for Files
  5. Extracting the Files
  6. Following the Trail
  7. Reassembling the Fragments

PearlCTF 2024: The-3-Fragmenteers [Forensics] WriteUp

10/03/2024 / 5 minutes to read / Tags: ctf, memory-analysis, forensics, writeup

This was my second shot at a CTF competition and I’m proud of solving a challenge outside my usual comfort zone. My team was astralis — me (prix) and my mate Darsh Patel (trench).

The Challenge

The-3-Fragmenteers challenge description

The download was a .7z archive containing a memory dump: dump_3.raw.

Getting Started with Volatility3

Initial image analysis:

Terminal window
python3 vol.py -f dump_3.raw windows.info
Volatility3 windows.info output confirming Windows memory image

Confirmed it was a Windows memory image.

Scanning for Files

Terminal window
python3 vol.py -f dump_3.raw windows.filescan > filescan.txt
filescan.txt output showing list of files in memory dump

Searched through the output for .txt files and found three suspiciously named files:

suspicious.txt found in filescan output afsidasbjdbkgewfsdf.txt found in filescan output base64-encoded filename found in filescan output

Extracting the Files

Dumped each file by its virtual address:

Terminal window
python3 vol.py -f dump_3.raw windows.dumpfiles --virtaddr 0xe38e74c110f0
python3 vol.py -f dump_3.raw windows.dumpfiles --virtaddr 0xe38e7500d270
python3 vol.py -f dump_3.raw windows.dumpfiles --virtaddr 0xe38e740b1c70

Following the Trail

File 1 (suspicious.txt): Contained a Mega.nz link and a riddle. The password to the hosted .rar was reflection. Inside: hint1.txt and xaa.unknown.

suspicious.txt contents showing Mega.nz link and riddle hint1.txt contents hinting at the Desktop location

File 2: Contained hex data. Decoded via Cryptii — revealed another Mega.nz link with xab.unknown and a hint that the 3rd file’s name is base64 encoded.

hex decoded output showing second Mega.nz link

File 3: Decoded the base64 filename to get the final Mega.nz link with xac.unknown.

decoded output showing third Mega.nz link

Reassembling the Fragments

Merged the three files — turned out to be a split PDF:

Terminal window
cat xaa.unknown xab.unknown xac.unknown > newfile
file newfile
cat and file commands confirming the merged file is a PDF

Opened the PDF and found the flag inside:

PDF contents showing the flag

FLAG: pearl{f1l3_15_n0t_br0k3_c0mpl3t3ly}

← Back to blog