📋 Challenge Description
A suspicious process was running on a compromised system before it was shut down. A memory dump was captured for forensic analysis. Your task is to analyze the memory dump, identify the malicious process, and extract the hidden flag from its memory space.
Objective: Use forensic tools to examine the memory dump and recover the flag.
📊 Memory Dump (Partial View)
0x00401000: 4d 5a 90 00 03 00 00 00 04 00 00 00 ff ff 00 00 MZ..............
0x00401010: b8 00 00 00 00 00 00 00 40 00 00 00 00 00 00 00 ........@.......
0x00401020: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 ................
0x00401030: 00 00 00 00 00 00 00 00 00 00 00 00 e8 00 00 00 ................
0x00402000: 43 54 46 7b 6d 33 6d 30 72 79 5f 66 30 72 33 6e CTF{m3m0ry_f0r3n
0x00402010: 73 31 63 73 5f 34 6e 34 6c 79 73 31 73 7d 00 00 s1cs_4n4lys1s}..
0x00402020: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 ................
0x00403000: 48 65 6c 6c 6f 20 57 6f 72 6c 64 00 00 00 00 00 Hello World.....
Running Processes:
PID: 4 - System (Normal)
PID: 1234 - explorer.exe (Normal)
PID: 2456 - chrome.exe (Normal)
PID: 6789 - svchost32.exe (Suspicious - Unusual name)
PID: 3456 - notepad.exe (Normal)
💡 Investigation Hints:
1. Memory Dump Analysis: Look at the hex dump above - the flag is visible in hex format at addresses 0x00402000-0x00402010
2. Hex to ASCII: Convert hex values to ASCII: 43 54 46 = "CTF"
3. Use Tools: Click "Search for CTF Flag" or "Hex to ASCII Converter" to extract the flag
4. Suspicious Process: Check PID 6789 - svchost32.exe is not a legitimate Windows process
5. String Scanning: The flag is stored as a plaintext string in memory
6. Manual Extraction: Read the highlighted hex bytes in the memory dump and convert to ASCII
Flag Format: CTF{...}