Magnet Weekly CTF — Week 10

Question 1

The questions started off rather easy, asking about a connection to a Google server. I immediately figured this was going to be the netscan plugin in Volatility:

volatility -f memdump.mem --profile Win7SP1x64 netscan | grep ESTABLISHED

Question 2

Well, this was rather easy as the question simply asked for the associated local address and port. From the above screen shot you can very easily see that the answer is:

Question 3

Question: What was the URL?

Sorry for the eyechart, can’t seem to blow it up more

Question 4

This question asked who was the user responsible for that connection. Based on the Chrome history, it seemed obvious that the Warren user was all over the place so I figured that must be user. I saw no indication of other users, and evidently that was the answer. I’m curious if there’s a more accurate way of determining the answer, but “Warren” was the correct answer.

Question 5

Question: How long was this user looking at this browser with this version of Chrome? *format: X:XX:XX.XXXXX * Hint: down to the last secon

He posted on Friday with only 3 solves at the time and solved in 45 minutes.
Computer shutdown:               2020-04-20 20:19:33 UTC+0000
Earliest chromevisit entry: 2020-04-20 20:23:55.902263
Earliest chromehistory: 2020-04-20 20:23:56.264731
Chrome Prefetch time: 2020-04-20 20:25:49 UTC+0000
Pslist chrome.exe timestamp: 2020-04-20 23:17:07 UTC+0000
Last updated registry key: 2020-04-20 23:17:13 UTC+0000
Latest visit/history timestamp: 2020-04-20 23:17:33.124246
Memory Acquisition: 2020-04-20 23:23:26.000000
Me a few hours later
2:59:30.09773 ---nope
2:53:36.859515 -- nope
2:59:29.735269 -- nope
2:53:37.221983 -- nope
2:57:37.0000 -- nope
volatility -f memdump.mem --profile Win7SP1x64 userassist



Get the Medium app

A button that says 'Download on the App Store', and if clicked it will lead you to the iOS App store
A button that says 'Get it on, Google Play', and if clicked it will lead you to the Google Play store