4 minutes
USCGSIV - Time Will Tell
CTF: USCG Combine 2024
Category: Forensics
Key Concepts: Memory Analysis, Word Document Steganography
Givens
TimeWillTell.vmem
- A hint that we should look for a ‘recipe document’
- A hint that the challenge ‘has lots of layers’
First Impressions
I was unfamiliar with .vmem
files before this challenge - a quick search showed that they were a type of memory file used by virtual machines. I decided to start with Volatility, a tool for memory analysis.
Layer 1: Memory Analysis
This was my first time using Volatility, and I looked for a GUI that would simplify the process. Volatility Workbench seemed promising, and I tried it against the file. It identified the platform as Windows, and I started my analysis with the windows.cmdline.CmdLine
command to list the available processes and their arguments.
Searching the resulting list for ‘recipe’, I found the following line:
4380 soffice.bin "C:\Program Files\LibreOffice\program\swriter.exe" "-o" "C:\Users\Administrator\Desktop\7LayerCakeRecipe.docx" "--writer" "-env:OOO_CWD=2C:\\Users\\Administrator\\Desktop"
It appears that the target file is 7LayerCakeRecipe.docx
in the administrator Desktop folder.
Unfortunately, the GUI tool was experiencing a Unicode bug when attempting to run windows.filescan.FileScan
. To proceed, I started a Linux VM and downloaded the CLI version of Volatility.
Once able to extract the file list, searching for the recipe yields:
0x8a8fe971e250 \Users\Administrator\Desktop\7LayerCakeRecipe.docx
From here, the file can be extracted with windows.dumpfiles.DumpFiles --virtaddr 0x8a8fe971e250
. The resulting file appears corrupted, but giving it a .docx
extension and opening it with Word repairs the file.
Layer 2: Word Doc Analysis
The document contains a recipe, followed by several unusual images, mostly of one-handed clocks. Word doc contents
An easy trick when working with images inside Word documents is to open the document with 7Zip, which will display the contents in a folder hierarchy. The images are located at /word/media/
.
I was stuck at this stage for a long time: there was no clear order to the pictures and searching the recipe for hidden text did not reveal anything. I ultimately decided to start reading through the .xml
files that make up the Word doc. The main one, at /word/document.xml
contained the image references: here, I realized that each image had a “description” tag with a number.
Image description tag
I sorted through the XML and extracted the description tag for each image:
<pic:cNvPr id="1" descr="6"/>
<pic:cNvPr id="2" descr="9"/>
<pic:cNvPr id="3" descr="13"/>
<pic:cNvPr id="4" descr="3"/>
<pic:cNvPr id="5" descr="2"/>
<pic:cNvPr id="6" descr="12"/>
<pic:cNvPr id="7" descr="7"/>
<pic:cNvPr id="8" descr="15"/>
<pic:cNvPr id="9" descr="5"/>
<pic:cNvPr id="10" descr="4"/>
<pic:cNvPr id="11" descr="16"/>
<pic:cNvPr id="12" descr="8"/>
<pic:cNvPr id="13" descr="11"/>
<pic:cNvPr id="14" descr="1"/>
<pic:cNvPr id="15" descr="10"/>
<pic:cNvPr id="16" descr="14"/>
Rearranging the images according to the tags, the order becomes clearer:
Something, represented by the clocks, letters, and numbers, will become a filename searchable on GitHub.
Taking the challenge’s name as a hint, I translated each clock into its time in minutes, leaving the provided letters and numbers in positions 1 and 12. I then combined them into one string.
1: 5A
2: 33
3: 45
4: 39
5: 52
6: 44
7: 30
8: 59
9: 41
10: 32
11: 34
12: 2E
13: 43
combined = "5A334539524430594132342E43"
Unfortunately, this string does not result in any matches on GitHub. However, the presence of letters A and E hints toward hex encoding.
Layer 3: Hex
Running the string through Dencode, it translates to Z3E9RD0YA24.C
. Searching this on Github yields a C file.
Z3E9RD0YA24.C
Layer 4: C
The C file is a simple self-decryption program that prints out a string. Running it gives:
KNEVMVKTINDXW5DIGR2F65ZUONPTI3BQORPTAZS7ER2DG4BEPU======
Seeing this many equals signs in a row is a tip-off that a string is encoded with Base32.
Layer 4: Base32
Running the text through CyberChef’s Base32 decoder, we get the flag!
Reflection
This challenge was a mix of new and old for me. Memory analysis is a new area, and I enjoyed the chance to use Volatility to analyze the filesystem and extract files. The Word document section was also interesting, and I’m not sure if I would have solved it without knowing how to unzip Word documents. I have a lot of experience with encodings like hex and Base32, so the end of the challenge was not too difficult.
I enjoy this type of layered challenge - it’s fun to progress through distinct steps while solving, and I like the small feeling of accomplishment that comes with solving each stage. For the future, I definitely want to learn more about memory analysis and file extraction.