Pulkit-230809

week-2/Part2.md

@@ -0,0 +1,61 @@
+### MemLabs Challenges
+
+```bash
+# MemLabs Lab 0
+volatility -f Challenge.raw imageinfo
+volatility -f Challenge.raw --profile=Win7SP1x86 pslist
+volatility -f Challenge.raw --profile=Win7SP1x86 cmdscan
+# Output: C:\Python27\python.exe C:\Users\hello\Desktop\demon.py.txt
+volatility -f Challenge.raw --profile=Win7SP1x86 consoles
+volatility -f Challenge.raw --profile=Win7SP1x86 envars
+volatility -f Challenge.raw --profile=Win7SP1x86 hashdump
+# Flag: flag{you_are_good_but1_4m_b3tt3r}
+
+# MemLabs Lab 1
+volatility -f MemoryDump_Lab1.raw imageinfo
+volatility -f MemoryDump_Lab1.raw --profile=Win7SP1x64 pslist
+volatility -f MemoryDump_Lab1.raw --profile=Win7SP1x64 procdump -p <process-id> --dump-dir <directory>
+volatility -f MemoryDump_Lab1.raw --profile=Win7SP1x64 cmdscan
+volatility -f MemoryDump_Lab1.raw --profile=Win7SP1x64 console
+# Flag: flag{th1s_1s_th3_1st_st4g3!!}
+
+# MemLabs Lab 2
+volatility -f MemoryDump_Lab2.raw imageinfo
+volatility -f MemoryDump_Lab2.raw --profile=Win7SP1x64 pslist
+volatility -f MemoryDump_Lab2.raw --profile=Win7SP1x64 filescan | grep kdbx
+volatility -f MemoryDump_Lab2.raw --profile=Win7SP1x64 dumpfiles -Q 0x000000003fb112a0 --dump-dir <directory>
+volatility -f MemoryDump_Lab2.raw --profile=Win7SP1x64 envars
+# Flag: flag{w3lc0m3_T0_$T4g3_!_Of_L4B_2}
+
+# MemLabs Lab 3
+volatility -f MemoryDump_Lab3.raw imageinfo
+volatility -f MemoryDump_Lab3.raw --profile=Win7SP1x86_23418 pstree
+volatility -f MemoryDump_Lab3.raw --profile=Win7SP1x86_23418 cmdline
+volatility -f MemoryDump_Lab3.raw --profile=Win7SP1x86_23418 filescan > mem3_filescan.txt
+volatility -f MemoryDump_Lab3.raw --profile=Win7SP1x86_23418 dumpfiles -Q 0x000000003de1b5f0 -D
+volatility -f MemoryDump_Lab3.raw --profile=Win7SP1x86_23418 dumpfiles -Q 0x000000003e727e50 -D
+# Flag: inctf{0n3_h4lf_1s_n0t_3n0ugh}
+
+# MemLabs Lab 4
+volatility -f MemoryDump_Lab4.raw imageinfo
+volatility -f MemoryDump_Lab4.raw --profile=Win7SP1x64 pslist
+vol.py -f MemoryDump_Lab4.raw --profile=Win7SP1x64 mftparser > mem4_mft.txt
+volatility -f MemoryDump_Lab4.raw --profile=Win7SP1x64 mftparser > mft.txt
+# Flag: inctf{1_is_n0t_EQu4l_7o_2_bUt_th1s_d0s3nt_m4ke_s3ns3}
+
+# MemLabs Lab 5
+volatility -f MemoryDump_Lab5.raw imageinfo
+volatility -f MemoryDump_Lab5.raw --profile=Win7SP1x64 pslist
+volatility -f MemoryDump_Lab5.raw --profile=Win7SP1x64 cmdline
+volatility -f MemoryDump_Lab5.raw --profile=Win7SP1x64 netscan
+volatility -f MemoryDump_Lab5.raw --profile=Win7SP1x64 iehistory
+# Flag: flag{!!_w3LL_d0n3_St4g3–1_0f_L4B_5_D0n3_!!}
+
+# MemLabs Lab 6
+volatility -f MemoryDump_Lab6.raw imageinfo
+volatility -f MemoryDump_Lab6.raw --profile=Win7SP1x64 pslist
+volatility -f MemoryDump_Lab6.raw --profile=Win7SP1x64 cmdline
+volatility -f MemoryDump_Lab6.raw --profile=Win7SP1x64 filescan > mem6_filescan.txt
+volatility -f MemoryDump_Lab6.raw --profile=Win7SP1x64 dumpfiles -Q 0x000000005fcfc4b0 -D
+volatility -f MemoryDump_Lab6.raw --profile=Win7SP1x64 consoles
+# Flag: inctf{thi5cH4LL3Ng3_!s_g0nn4_b3_?_aN_Am4zINg_!_i_gU3Ss???}

week-2/Part3.md

@@ -0,0 +1,35 @@
+### Exercises and Solutions
+
+**Exercise 001:**  
+Coordinates: 16.61, -11.40  
+
+**Exercise 002:**  
+Finders Street Railway Station  
+Focus Building, 167 m  
+
+**Exercise 003:**  
+Palace of Presidency of Turkey  
+Coordinates: 39.93, -32.89  
+
+**Exercise 004:**  
+Oan Resort  
+Coordinates: 7.36, 151.75  
+Direction: North  
+
+**Exercise 005:**  
+San Diego  
+Temperature: 62°F  
+Coordinates: 32.7, -117.1  
+
+**Exercise 006:**  
+No, this photo is not correct, as the same image can be found in different places.  
+
+**Exercise 007:**  
+Lisbon  
+Year: 2019  
+Website: [www.tutankamon.pt](http://www.tutankamon.pt)  
+
+**Exercise 008:**  
+Shen's Performance  
+Date: 7 Jan 2023  
+Venue: Chrysler Hall  

week-2/part1.md

@@ -0,0 +1,86 @@
+### Challenge 1: Equation
+Use `exiftool` to find the flag hidden in the comment section. The flag format is `CTFlearn{I_Like_Math_x_y}`, where `x` and `y` satisfy the equations:  
+- \(3x + 5y = 31\)  
+- \(7x + 9y = 59\)  
+
+The solution is \(x = 2\) and \(y = 5\).
+
+**Flag:** `CTFlearn{I_Like_Math_2_5}`
+
+---
+
+### Challenge 2: Corruption?
+The correct file signature for a GIF is `"47 49 46 38 39 61"`. The given file signature shows only `"39 61"`, so we need to add the missing bytes. Once fixed, the file contains a Base64-encoded flag:  
+`ZmxhZ3tnMWZfb3JfajFmfQ==`
+
+**Flag:** `flag{g1f_or_j1f}`
+
+---
+
+### Challenge 3: Santa's Secrets
+Use `binwalk` on the file `3.png` to extract the hidden content. This will recover the original file along with another image, `1.png`, which is an edited version containing noise.
+
+
+### Challenge 7: Spectrogram Clue
+
+```bash
+# Step 1: Analyze the zip file
+strings message.zip
+# Output: seeingisbelieving/help.me
+
+# Step 2: Extract the zip file
+unzip message.zip
+
+# Step 3: Navigate to the extracted folder
+cd seeingisbelieving/help.me
+
+# Step 4: Analyze the file format
+xxd help.me
+# Observed: File is an OGG audio file
+
+# Step 5: Rename the file to .ogg
+mv help.me help1.ogg
+
+# Step 6: Open the file in Sonic Visualizer
+# Add a spectrogram layer to reveal the hidden QR code.
+
+# Step 7: Scan the QR code
+# The QR code links to a pastebin URL.
+
+# Flag
+the_flag_is{A_sP3c7r0grAm?!}
+```
+
+
+### Challenge 8: Communication Lost 2
+
+```bash
+# Analyzed the spectrogram but found nothing suspicious.
+# Tried other usual techniques, but no significant findings.
+```
+
+### Challenge 9: The Wanderer
+
+```bash
+# Used Stegseek to brute force the passphrase for image.jpg
+sudo stegseek --crack image.jpg wordlist.txt cracked.txt
+
+# Output:
+# [i] Found passphrase: "urahara1"
+# [i] Original filename: "flag.txt".
+# [i] Extracting to "cracked.txt".
+
+# Flag
+0xL4ugh{W4RM_UP_STE94N0_G0OD_J0B}
+```
+
+### Challenge 10: Pokemon
+
+```
+# Analyzed the spectrogram and noticed a suspicious pattern at the start of the waveform.
+# The pattern resembled dots and dashes, indicating Morse code.
+# Decoded the pattern using an online Morse code translator, revealing the flag.
+```
+# Flag
+MORSECODEFTW
+```