Running strings
on the file yields the flag.
The challenge hinted at the need to use the tool Volatility
.
First we run volatility -f memdump.raw imageinfo
on the dump to get the OS version. We then use the cmdscan
command to check the most recently run commands.
One of these is
JCTF{nice_volatility_tricks_bro}
As it's a docx
file we can extract all the individual parts using binwalk
.
Then we navigate to /root/Desktop/_microsooft.docx.extracted/src/
, open up oof.txt
and Ctrl + F
for flag
.
flag{oof_is_right_why_gfxdata_though}
Alternatively, if you don't want to use the command line, change the extension to .zip
and unzip
Navigate into the correct folder and open oof.txt
. ctrl + F
to search for the flag.