NuLL_Br3aker-Meeseeks and destroy

Challange name : Meeseeks and destroy

challange link : download-here

points : 300

level : medium

author : b1nslashsh

Description:

“Rick send me his memory dump, but it is a while and i can’t fully find it!, I think he is also good with chipers, can you please look some deeep! , note : there are two part of flag”

Solution

So first we can start looking at process useing psscan

we can see that the brave browser is running , so lets look at its history

there is no plugins for it , so we can do it by hand

so after dumping physical offesets and disk files useing filesscan

we can try to grep brave and then history on it

so here we have brave historys offeset now we can use it for dump the file by dumpfiles

and then trying to open the sql file, will give you a pastelink

and it contains some messages

so its says there is a “untitled.data” and it has been deleted, so we can try to grep it in mft useing mftparser

so yes we have a base64 data and it contains

the first part of the flag!

now lets try to find the second part, as description says there is a cipher part added in challenge

so once more looking in previous paste we can see that there are some white spaces , and also something about “snow”

so useing snow , will give you the second part.

Final FLAG : nbCTF{M4S7erF1L3TaBl3_1S_n07_A_J0Ke_r1Gh7??_h0p3_yoU_enJOyEd!!}