Author: I think DFIRently
Google is your friend.
[hint1] What’s the OS version of the dump ?
[hint2] the password is encoded
points to note:
- “jot down”: check notepad
- “google is your friend”: check browser stuff
We are given the file WINDOWS11-20251103-181217.raw so I’ll be using Volatility3
❯ vol -f WINDOWS11-20251103-181217.raw windows.info
Volatility 3 Framework 2.27.0
Progress: 100.00 PDB scanning finished
Variable Value
Is64Bit True
layer_name 0 WindowsIntel32e
memory_layer 1 FileLayer
SystemTime 2025-11-03 18:12:20+00:00
NtSystemRoot C:\WINDOWS
NtMajorVersion 10
PE MajorOperatingSystemVersion 10
PE MinorOperatingSystemVersion 0Let’s start by looking at the basic stuff
- active processes
- cmdline
- file list
❯ vol -f WINDOWS11-20251103-181217.raw windows.filescan > dump/file_scanetc
Active Processes#
❯ vol -f WINDOWS11-20251103-181217.raw windows.pslist
Volatility 3 Framework 2.27.0
Progress: 100.00 PDB scanning finished
PID PPID ImageFileName Offset(V) Threads Handles SessionId Wow64 CreateTime ExitTime File output
5788 5740 explorer.exe 0xd20fde694080 74 - 1 False 2025-11-03 18:05:53.000000 UTC N/A Disabled
6288 5788 OneDrive.exe 0xd20fd3f3d0c0 25 - 1 False 2025-11-03 18:07:30.000000 UTC N/A Disabled
1544 8976 msedge.exe 0xd20fe116d080 15 - 1 False 2025-11-03 18:11:46.000000 UTC N/A Disabled
1768 8976 msedge.exe 0xd20fe116b080 15 - 1 False 2025-11-03 18:11:46.000000 UTC N/A Disabled
9484 8976 msedge.exe 0xd20fe1169080 15 - 1 False 2025-11-03 18:11:46.000000 UTC N/A Disabled
4552 8976 msedge.exe 0xd20fe1167080 16 - 1 False 2025-11-03 18:11:46.000000 UTC N/A Disabled
6080 8976 msedge.exe 0xd20fdfba1080 25 - 1 False 2025-11-03 18:11:46.000000 UTC N/A Disabled
7640 8976 msedge.exe 0xd20fdce53080 25 - 1 False 2025-11-03 18:12:01.000000 UTC N/A Disabled
4888 8976 msedge.exe 0xd20fdce020c0 26 - 1 False 2025-11-03 18:12:01.000000 UTC N/A Disabled
10264 8976 msedge.exe 0xd20fd7f21080 25 - 1 False 2025-11-03 18:12:03.000000 UTC N/A Disabled
2044 2148 audiodg.exe 0xd20fe0f92080 10 - 0 False 2025-11-03 18:12:15.000000 UTC N/A Disabled
10344 8976 DumpIt.exe 0xd20fe1c05080 3 - 1 True 2025-11-03 18:12:16.000000 UTC N/A Disabled
9876 10344 conhost.exe 0xd20fe12a0080 8 - 1 False 2025-11-03 18:12:16.000000 UTC N/A Disabled
10540 8976 msedge.exe 0xd20fdd530080 14 - 1 False 2025-11-03 18:12:18.000000 UTC N/A DisabledYou can immediately see a wall of Microsoft Edge processes, so that’s probably the browser we have to inspect.
Browser History#
Edge is Chromium based, so it’s artifacts are very similar to Google Chrome ones, which means there’s goingn to be a History sqlite3 db somewhere
❯ cat dump/file_scan | rg -ie "Edge.*History"
0xd20fde878590 \Users\nh0kt1g3r12\AppData\Local\Microsoft\Edge\User Data\Default\Nurturing\campaign_history-journal
0xd20fdf58dd70 \Users\nh0kt1g3r12\AppData\Local\Microsoft\Edge\User Data\Default\History-journal
0xd20fe091f300 \Users\nh0kt1g3r12\AppData\Local\Microsoft\Edge\User Data\Default\History
0xd20fe092a6b0 \Users\nh0kt1g3r12\AppData\Local\Microsoft\Edge\User Data\Default\Nurturing\campaign_history
0xd20fe094bea0 \Users\nh0kt1g3r12\AppData\Local\Microsoft\Edge\User Data\Nurturing\campaign_historyLet’s extract it and have a lookie
❯ vol -f WINDOWS11-20251103-181217.raw -o dump/ windows.dumpfiles --virtaddr 0xd20fe091f300❯ sqlite3 dump/History
SQLite version 3.50.4 2025-07-30 19:33:53
Enter ".help" for usage hints.
sqlite> SELECT * FROM urls;
1|file:///C:/WINDOWS/system32/oobe/FirstLogonAnim.html||1|0|13406634694329331|0
2|https://pastebin.com/rmXj1eCt|Pastebin.com - Locked Paste|1|1|13406667097525574|0
3|https://www.bing.com/search?pglt=2083&q=dumpit.exe&cvid=92bf709e584f4a82802c4f6bcfc01eef&gs_lcrp=EgRlZGdlKgYIABBFGDkyBggAEEUYOTIGCAEQABhAMgYIAhAAGEAyBggDEAAYQNIBCDE2OTNqMGoxqAIAsAIA&FORM=ANNTA1&PC=U531|dumpit.exe - Search|2|0|13406667121928273|0
4|https://www.bing.com/ck/a?!&&p=12e12100f2e3ebf4d55b7760de25d8325cee7eef9c2cbf4b0fa308fbebdf3a6cJmltdHM9MTc2MjEyODAwMA&ptn=3&ver=2&hsh=4&fclid=155eefd7-d4b3-6957-174d-f94ed5096857&psq=dumpit.exe&u=a1aHR0cHM6Ly93d3cudG9vbHdhci5jb20vMjAxNC8wMS9kdW1waXQtbWVtb3J5LWR1bXAtdG9vbHMuaHRtbA&ntb=1||1|0|13406667121916862|0
5|https://www.toolwar.com/2014/01/dumpit-memory-dump-tools.html|DumpIt (Memory Dumper) :: Tools - ToolWar | Information Security (InfoSec) Tools|1|0|13406667122799514|0
6|https://www.toolwar.com/2014/01/dumpit-memory-dump-tools.html#google_vignette|DumpIt (Memory Dumper) :: Tools - ToolWar | Information Security (InfoSec) Tools|1|0|13406667129550915|0
sqlite>Do you see it??? We have a locked pastebin link!!!
NotePad Artifacts#
From the title of the challenge we also know we have to have a look at the NotePad artifacts. On Windows 10/11 Notepad stores a cache of recently opened files with a bit more structure than Windows 7 did. I’m going to be referring to this amazing blog about notepad artifacts
The artifacts are located at Microsoft.WindowsNotepad_8wekyb3d8bbwe\LocalState
❯ cat dump/file_scan | rg -ie "WindowsNotepad.*LocalState"
0xd20fdf5ba460 Microsoft.WindowsNotepad_8wekyb3d8bbwe\LocalState\TabState\703f5836-f2e4-43c0-8522-59e788aa06de.0.bin
0xd20fdf5bd340 Microsoft.WindowsNotepad_8wekyb3d8bbwe\LocalState\TabState\703f5836-f2e4-43c0-8522-59e788aa06de.1.bin
0xd20fdfb0f7b0 Microsoft.WindowsNotepad_8wekyb3d8bbwe\LocalState\WindowState\25664951-e78e-4e96-a192-fc3eb4e2339e.0.bin
0xd20fe058ebf0 Microsoft.WindowsNotepad_8wekyb3d8bbwe\LocalState\TabState\703f5836-f2e4-43c0-8522-59e788aa06de.bin.tmpInside this there are two folders TabState\ and WindowState\
Tab State#
TabState\ contains data on the open tabs of Notepad, which also contain the actual contents of the buffer, which is why we will be focusing on the files in this folder
703f5836-f2e4-43c0-8522-59e788aa06de.bin.tmp
Is the important file in question, the other TabState files are just temporaries before writing into the main one
This file is the cache of an Unsaved Tab
| Offset | Field | Value | Details |
|---|---|---|---|
| 0x0-0x02 | Signature | NP\x00 | The file signature |
| 0x03 | isFileSaved | 0x00 | The File has not been saved to the disk |
| 0xd | Content Length | 0xe | Length of the content of the tab |
| 0x0e-0x29 | Content | AcDDH_C507_F?5 | what we want |
| 0x2b-0x2e | CRC32 | 0x466cb66f | CRC32 of the contents excluding the signature |
Above are the important things we want from the file. I also wrote a small parser for unsaved tabs here
❯ python notepad_parser.py
INFO: file signature matches!
INFO: is not saved to disk
INFO: wordWrap: False
INFO: rtl: False
INFO: showUnicode: True
INFO: version: 1
INFO: FILE CONTENTS: AcDDH_C507_F?5
INFO: CRC32 matches(this was before i knew ImHex and Yara were a thing 😞)
So we have the contents written in Notepad, but is this our pastebin password? From the second hint, apparently not, it’s encoded somehow
Decoding#
And of course this is where I crashed out. You may have noticed there was only one solve on this challenge. Well it wasn’t us. I threw the string AcDDH_C507_F?5 into CyberChef and the Magic recipe didn’t give me anything 😭
So I spent the next many hours of my life questioning everything and checking everything else I possibly could. I tried
- onedrive artifacts
- clipboard stuff
- ntlm hashes
- strings for “password” (found a lot of wrong answers here btw)
- crying in the tickets (the ticket is still open lmao)
- so much crying in the tickets (im sorry 😭)
- questioning my sanity
I should have just given the string to my teammates, but at that point I wasn’t entirely sure that was the correct string (they were sleeping tho), i thought it could have been DDH_C507_F or something like that too (i made my parser after the CTF)
Anyway after the CTF the author said it was encoded with ROT47, and all I can say is … fml
This has to be the worst way to learn a new encoding. This challenge was another 6 hours of my life btw
p4ssw0rd_f0und
PIS{fr0m_f4n_n3r0_w1th_l0v3}check out
Their file type detection is fantastic because Yara
Reply by Email