CTF:             USCG Combine 2024
Category:        Forensics
Key Concepts:    Memory Analysis, Word Document Steganography

Givens

  • TimeWillTell.vmem
  • A hint that we should look for a ‘recipe document’
  • A hint that the challenge ‘has lots of layers’

First Impressions

I was unfamiliar with .vmem files before this challenge - a quick search showed that they were a type of memory file used by virtual machines. I decided to start with Volatility, a tool for memory analysis.

Layer 1: Memory Analysis

This was my first time using Volatility, and I looked for a GUI that would simplify the process. Volatility Workbench seemed promising, and I tried it against the file. It identified the platform as Windows, and I started my analysis with the windows.cmdline.CmdLine command to list the available processes and their arguments.

Searching the resulting list for ‘recipe’, I found the following line:

4380	soffice.bin	"C:\Program Files\LibreOffice\program\swriter.exe" "-o" "C:\Users\Administrator\Desktop\7LayerCakeRecipe.docx" "--writer" "-env:OOO_CWD=2C:\\Users\\Administrator\\Desktop"

It appears that the target file is 7LayerCakeRecipe.docx in the administrator Desktop folder. Unfortunately, the GUI tool was experiencing a Unicode bug when attempting to run windows.filescan.FileScan. To proceed, I started a Linux VM and downloaded the CLI version of Volatility.

Once able to extract the file list, searching for the recipe yields:

0x8a8fe971e250	\Users\Administrator\Desktop\7LayerCakeRecipe.docx

From here, the file can be extracted with windows.dumpfiles.DumpFiles --virtaddr 0x8a8fe971e250. The resulting file appears corrupted, but giving it a .docx extension and opening it with Word repairs the file.

Layer 2: Word Doc Analysis

The document contains a recipe, followed by several unusual images, mostly of one-handed clocks.

Word doc contents

An easy trick when working with images inside Word documents is to open the document with 7Zip, which will display the contents in a folder hierarchy. The images are located at /word/media/.

I was stuck at this stage for a long time: there was no clear order to the pictures and searching the recipe for hidden text did not reveal anything. I ultimately decided to start reading through the .xml files that make up the Word doc. The main one, at /word/document.xml contained the image references: here, I realized that each image had a “description” tag with a number.

Image description tag

I sorted through the XML and extracted the description tag for each image:

<pic:cNvPr id="1"  descr="6"/>
<pic:cNvPr id="2"  descr="9"/>
<pic:cNvPr id="3"  descr="13"/>
<pic:cNvPr id="4"  descr="3"/>
<pic:cNvPr id="5"  descr="2"/>
<pic:cNvPr id="6"  descr="12"/>
<pic:cNvPr id="7"  descr="7"/>
<pic:cNvPr id="8"  descr="15"/>
<pic:cNvPr id="9"  descr="5"/>
<pic:cNvPr id="10" descr="4"/>
<pic:cNvPr id="11" descr="16"/>
<pic:cNvPr id="12" descr="8"/>
<pic:cNvPr id="13" descr="11"/>
<pic:cNvPr id="14" descr="1"/>
<pic:cNvPr id="15" descr="10"/>
<pic:cNvPr id="16" descr="14"/>

Rearranging the images according to the tags, the order becomes clearer:

Something, represented by the clocks, letters, and numbers, will become a filename searchable on GitHub.

Taking the challenge’s name as a hint, I translated each clock into its time in minutes, leaving the provided letters and numbers in positions 1 and 12. I then combined them into one string.

1:  5A
2:  33
3:  45
4:  39
5:  52
6:  44
7:  30
8:  59
9:  41
10: 32
11: 34
12: 2E
13: 43

combined = "5A334539524430594132342E43"

Unfortunately, this string does not result in any matches on GitHub. However, the presence of letters A and E hints toward hex encoding.

Layer 3: Hex

Running the string through Dencode, it translates to Z3E9RD0YA24.C. Searching this on Github yields a C file.

Z3E9RD0YA24.C

Layer 4: C

The C file is a simple self-decryption program that prints out a string. Running it gives:

KNEVMVKTINDXW5DIGR2F65ZUONPTI3BQORPTAZS7ER2DG4BEPU======

Seeing this many equals signs in a row is a tip-off that a string is encoded with Base32.

Layer 4: Base32

Running the text through CyberChef’s Base32 decoder, we get the flag!

Reflection

This challenge was a mix of new and old for me. Memory analysis is a new area, and I enjoyed the chance to use Volatility to analyze the filesystem and extract files. The Word document section was also interesting, and I’m not sure if I would have solved it without knowing how to unzip Word documents. I have a lot of experience with encodings like hex and Base32, so the end of the challenge was not too difficult.

I enjoy this type of layered challenge - it’s fun to progress through distinct steps while solving, and I like the small feeling of accomplishment that comes with solving each stage. For the future, I definitely want to learn more about memory analysis and file extraction.