Branching Out
Challenge:
Using the memory dump, what was the date/time on which the web service was starting?
Submit the flag as
flag{timestamp}.Use the file from Inode What You Did Last Summer.
Solution:
The 'linux_pslist' plugin for Volatility lists active tasks and outputs columns of info for items like: process name, process id, parent process id, and start time. We leveraged the pslist plugin and grep'd for apache:
$ volatility2 --profile LinuxUbuntu_5_4_0-122-genericx64 -f esu-mem-20220727154029.dmp linux_pslist | grep apache
Volatility Foundation Volatility Framework 2.6.1
0xffff9591b9aac680 apache2 10519 1 0 0 0x0000000039b52000 2022-07-26 01:56:10 UTC+0000
0xffff959182a48000 apache2 23695 10519 33 33 0x000000003cb9c000 2022-07-27 13:17:24 UTC+0000
0xffff9591b9aaaf00 apache2 23873 10519 33 33 0x000000003b5ca000 2022-07-27 13:18:12 UTC+0000
0xffff9591829f5e00 apache2 24003 10519 33 33 0x00000000029fa000 2022-07-27 13:18:49 UTC+0000
0xffff9591829f1780 apache2 24383 10519 33 33 0x000000003bca6000 2022-07-27 14:14:34 UTC+0000
0xffff959182a21780 apache2 24527 10519 33 33 0x000000003c978000 2022-07-27 14:36:33 UTC+0000
0xffff959182a25e00 apache2 24529 10519 33 33 0x000000003ce12000 2022-07-27 14:36:33 UTC+0000
0xffff9591839d9780 apache2 24690 10519 33 33 0x0000000003a04000 2022-07-27 14:37:16 UTC+0000
0xffff9591839d8000 apache2 24752 10519 33 33 0x0000000001510000 2022-07-27 14:37:33 UTC+0000
0xffff9591839daf00 apache2 24781 10519 33 33 0x0000000003950000 2022-07-27 14:37:42 UTC+0000
0xffff9591839dde00 apache2 24842 10519 33 33 0x000000003a046000 2022-07-27 14:37:58 UTC+0000
Since there were a number of Apache2 processes we chose the earliest timestamp and submitted it as the flag:
The accepted flag was: flag{2022-07-26 01:56:10 UTC+0000}
Leave a comment