CyberSpace2024 Memory CTF : Interesting Forensics Challenge

4 min readSep 1, 2024

Hey Hackers! In this article, I’ll guide you through the process of solving the “Memory” challenge from the Cyberspace CTF 2024. This challenge revolves around the Windows Memory Forensics, where we have extract the deleted flag.jpg file. Let’s dive right in and unravel the steps to conquer this challenge!

Challenge Link --> https://2024.csc.tf/challenges#Memory-60

Start :

So in this Forensics challenge a Windows Memory Dump is given and the description is below says that image of the Flag was deleted and we have to Recover it.

So the mem.dmp file is a MS windows 64bit crash dump. So as a basics I tried to extract the all knowledgeable string values form the dmp file and stored that in a text file to analyze.

strings mem.dmp > out.txt

while analyzing the text file I noticed the below strings seems Interesting.

$ifPath = [System.IO.Path]::Combine([System.Environment]::GetFolderPath('Desktop'), '
flag.jpg')
$efPath = [System.IO.Path]::Combine([System.Environment]::GetFolderPath('Desktop'), 'flag.enc')
$aes = New-Object System.Security.Cryptography.AesManaged
$aes.KeySize = 256
$aes.BlockSize = 128
$aes.GenerateKey()
$aes.GenerateIV()
$cee = [System.Convert]::ToBase64String($aes.Key)
$vee = [System.Convert]::ToBase64String($aes.IV)
$content = [System.IO.File]::ReadAllBytes($ifPath)
$encryptor = $aes.CreateEncryptor($aes.Key, $aes.IV)
$encryptedData = $encryptor.TransformFinalBlock($content, 0, $content.Length)
$encryptedBase64 = [System.Convert]::ToBase64String($encryptedData)
[System.IO.File]::WriteAllText($efPath, $encryptedBase64)
[System.Environment]::SetEnvironmentVariable("ENCD", $encryptedBase64, [System.EnvironmentVariableTarget]::User)
[System.Environment]::SetEnvironmentVariable("ENCK", $cee, [System.EnvironmentVariableTarget]::User)
[System.Environment]::SetEnvironmentVariable("ENCV", $vee, [System.EnvironmentVariableTarget]::User)
if (Test-Path $ifPath) {
    Remove-Item $ifPath -Force

So the things to notice here flag.jpg and flag.enc. The flag.jpg was deleted but flag.enc is encrypted. Here is the breakdown.

$ifPath: Combines the Desktop folder path with the filename flag.jpg. This path points to the original file flag.jpg.
$efPath: Combines the Desktop folder path with the filename flag.enc. This path will be used to save the encrypted version of flag.jpg.
Some AES Encryption Setup like : Keysize, Blocksize, AesKey, IV Key etc for Encryption.
$cee = [System.Convert]::ToBase64String($aes.Key): Converts the AES key to a Base64 string and stores it in $cee.
$vee = [System.Convert]::ToBase64String($aes.IV): Converts the AES IV to a Base64 string and stores it in $vee.
[System.IO.File]::WriteAllText($efPath, $encryptedBase64): Saves the Base64 encoded encrypted data to a file named flag.enc on the Desktop.
Stores the Base64-encoded encrypted data (ENCD), the AES key (ENCK), and the IV (ENCV) as environment variables.
if (Test-Path $ifPath) { Remove-Item $ifPath -Force }: If the original flag.jpg exists, it is deleted

So here ENCD holds the Base64-encoded encrypted content of flag.jpg. It represents the encrypted flag but is not directly readable. To decrypt the data using the AES key (ENCK) and IV (ENCV) to retrieve the original flag.jpg.

I noticed flag.enc also not present in that Memory Dump. Hopefully those ENCD ENCK and ENCV values are set into Windows Environment Variables. We just have to extract it.

Here we use Volatility Framework to do this. Here it is below.

python3 vol.py -f mem.dmp windows.envars.Envars (windows.envars.Envars plugin helps to scan and extract Windows Environment Variables)

Here after bit searching I got the ENCD, ENCK and ENCV Variables.

So it’s time to decrypt those. Here I use Python3 but you can use Powershell Scripting also.

First I Base64 Decode the value of ENCD and store it into flag.enc file. Here is the script Below.

I ran it and it gave me the flag.enc.

So now it’s time to Decrypt using those ENCK and ENCV. Here I again create a Python script (Help of ChatGPT 😅)to decrypt this. It’s just reversing the Encryption Method.