Hackvent 2024: Hidden Medium
[HV24.HM] Mrs. Claus's Secret
This hidden was discovered while solving the day 5 challenge: [HV24.05] Last Password
Solution
While analysing the memory dump, we noted that the notepad.exe process might hold interesting data. Specifically, we wanted to see the unsaved text present in the open Notepad binary in memory at the time of the dump. Using Volatility 3, we couldn't find an easy way to extract this data. However, we came across a blog post titled Volatility 3 Plugin — kusertime, notepad, sticky, evtxlog by Rifqi Ardia Ramadhan. In this post, Rifqi outlines their experience creating plugins for Volatility 3, including a Notepad plugin available at: https://github.com/spitfirerxf/vol3-plugins.
We installed the plugin and ran the following command:
$ py -3 vol.py -f ./dump.raw notepadThis successfully outputted the in-memory Notepad text:
never gonna give you my last password: t1s1s4t0t4llys3cur3p4ssw0rdn0rocky0utxt
Next, we use steghide with the extracted password on the Bernie image to check for any hidden data:
$ steghide extract -sf image.jpg -p t1s1s4t0t4llys3cur3p4ssw0rdn0rocky0utxtThis spits out a secret-flag.png image which is a QR code that provides our hidden flag:
Flag:
HV24{p4ssw0rd_h1dd3n_1n_z3_n0tep4d.exe}