OtterCTF 2018 Memory Forensics Write-up (Part II)

I suppose you have already taken a look at my Memory Forensics Write-up (Part 1) if not, you can check it out here. Having said that let’s get hunting flags.

So Rick loves playing online games :) If we take a close look at the netscan results we see a particular process stands out:

Yup “LUNARMS.exe”. It had established a TCPv4 connection b/w the localhost and a remote server(77.102.199.102).

Flag 1: CTF{LunarMS}

Flag 2: CTF{77.102.199.102}

So the account was logged into a channel called Lunar-3. Let us try and grep regions near “Lunar-3” from the memory image.

$ strings OtterCTF.vmem | grep "Lunar-3" -A 5-B 5
disabled
mouseOver
keyFocused
Lunar-3
0tt3r8r33z3
Sound/UI.img/
BtMouseClick
Lunar-4
Lunar-1
--

“0tt3r8r33z3”is the required account name.

Flag: CTF{0tt3r8r33z3}

‣‣‣You just read Frost Bite. Hope you enjoyed it…