Anantya ByteMe CTF Writeup Series: Ashes of The Realm

-

 


Welcome Back to the Official Write-Up Series of ByteMe CTF!

The OWASP PCCOE Student Chapter is turning up the technical heat for our 9th write-up. We are moving from the persistent records of the Citadel into the flickering, volatile world of Memory Forensics with Ashes of The Realm. This challenge tests a hunter's ability to find truth when the disk itself has been turned to ash.

Category: Forensics

Difficulty: Hard

Author: Sarthak Warale

Theme: Game of Thrones / Volatile Memory


Challenge Summary: The Invisible Trail

In this scenario, all persistent data—files, logs, and records—has been destroyed. The only surviving evidence exists in volatile memory (RAM), specifically preserved within active shell sessions at the time the system was "captured."

Participants were provided with a Linux memory dump: memdump.lime.


Tools & Setup: Volatility 3

To analyze a memory dump, the gold standard is Volatility 3. However, this challenge presented a specific hurdle: the default symbols didn't match the kernel of the dump. Participants had to point Volatility to an external Intermediate Symbol File (ISF) source to translate the raw memory bytes into meaningful process data.

The Execution Command:

Bash
python3 vol.py \
--remote-isf-url "https://github.com/Abyss-W4tcher/volatility3-symbols/raw/master/banners/banners.json" \
-f memdump.lime linux.pslist


1. Identifying Interactive Shells

The first step was to see who was "awake" when the memory was dumped. By running the linux.pslist plugin, we revealed multiple active bash processes. This confirmed that several shell sessions were open, potentially holding the commands executed by the user.


2. Extracting "Words Spoken" in Memory

A key hint in the challenge suggested that "words spoken were preserved." In forensics, this points toward the Bash Command History. While .bash_history on disk might be deleted, the commands currently residing in the shell's memory buffer remain until the process is terminated.

Using the linux.bash plugin, we extracted these in-memory buffers:

Bash
python3 vol.py \
--remote-isf-url "[URL]" \
-f memdump.lime linux.bash.Bash


3. Analyzing the Bash Output

The output revealed a sequence of commands that looked ordinary at first glance, but contained hidden fragments:

  1. exec -a "ByteMe{wh4t_1s_" sleep 9999

  2. echo "d34d_n3v3r"

  3. touch ~/Desktop/l34v3s_th3_m3m0ry}

By piecing together the process name from the exec command, the echoed string, and the filename from the touch command, the flag emerged from the ashes.


Final Answer (Flag)

Flag: ByteMe{wh4t_1s_d34d_n3v3r_l34v3s_th3_m3m0ry}


Key Takeaways

  • Volatility is Key: When the disk is wiped, RAM is often the only place where the "truth" survives.

  • The exec -a Trick: Adversaries (and CTF creators) often use the -a flag in exec to change the process name appearing in the process list—a great place to hide data.

  • Symbol Management: Forensics isn't just about running tools; it's about configuring them to understand the specific environment you are investigating.

What is dead may never die, but it surely leaves a trace in the memory.

Comments

Post a Comment

Popular posts from this blog

CyberKavach QuestCon Series: Upside-Down Vault

-
Image
  🧩 CTF Write-Up: Upside-Down Vault Author: Sai Veer Flag Format: QUESTCON{...} Challenge Type: Multi-Layer Crypto + Stego + Web Service Difficulty: Medium–Hard 🗃️ Files Provided encrypted_flag.bin layer1_puzzle.json layer2_blob.json layer2.enc privkey.enc vault.py vault_pub.pem vault_secret.png 🧠 Challenge Overview The challenge consists of: 3 cryptographic layers 1 steganographic HMAC extraction 1 server verification stage The flag is revealed only after: Extracting the hidden HMAC secret from vault_secret.png . Solving all cryptographic layers. Using the recovered secrets to correctly sign and “seal” a request to the local server ( vault.py ). Finally, retrieving the decrypted flag from /sealed . 🧩 Step-by-Step Walkthrough Step 1 — Extract HMAC Secret from PNG The image vault_secret.png hides an HMAC key in its LSBs. Why The server expects this secret in ctf_secret/secret_mac . It’s later used to generate HMAC signatures for ...
Read more

From Open Networks to Safe Systems: How Firewalls Block the Hacker’s Doorway

-
Image
From Open Networks to Safe Systems: How Firewalls Block the Hacker’s Doorway   In the digital world, every message, photo, and online payment travels through an invisible web of connections called computer networks. Think of it as a massive postal system where billions of tiny data packets constantly move between devices, routers, and servers, each carrying a specific destination address. Just as houses have numbered addresses, every device on a network has an IP address. But instead of physical doors, computers have virtual ones called ports. These are entry and exit points that decide what kind of data can pass through. Some of these digital doors, like those used for websites or emails, need to stay open. Others, if left unlocked, can become invitations for attackers. That is where firewalls come in. A firewall acts as a vigilant security guard at your network’s gate. It checks who is knocking, what they are carrying, and whether they are allowed inside. Home routers do this qui...
Read more

CyberKavach QuestCon Series: VecNet

-
Image
  VecNet Welcome back to the official write-up series for CyberKavach QuestCon! The PCCOE OWASP Student Chapter is here to analyze one of the most fascinating challenges in our event — VecNet, an LLM Jailbreaking and Prompt Injection challenge inspired by Stranger Things. Category: LLM Jailbreaking / Prompt Injection Author: Chirag Ferwani VecNet is an interactive LLM jailbreak challenge inspired by Stranger Things. Players interact with Eleven’s neural assistant deployed in the Upside Down, attempting to extract a hidden flag through creative prompt engineering. The system looks like a Stranger Things knowledge assistant but secretly hides a flag that challengers must extract. Challenge URL: ( https://vecnet.onrender.com ) When you open the challenge, you see a minimal chat interface with a terminal-style monospace font, real-time messaging without chat history, a dark Stranger Things aesthetic, and an input field with a send button. Testing the basic functionality shows that the ...
Read more