HEROCTF WALKTHROUGH

3 min readApr 27, 2021

It’s a write-up of some of the challenges I solved in the heroctf. It’s a good beginner-friendly CTF challenge. It’s helping me to learn more about some attacks and areas. Here in this CTF I mainly focus on web and forensic challenges. But I can’t solve any web challenges. But I solve some of the forensics,osint, and blockchain challenges. It’s a write-up of that challenges.

It’s a memory dump analyzing forensic challenge. In this challenge, we need to find the computer hostname. Here we use volatility to analyze the memory dump.

Volatility is one of the best open source software programs for analyzing RAM in 32 bit/64 bit systems. It supports analysis for Linux, Windows, Mac, and Android systems. It is based on Python and can be run on Windows, Linux, and Mac systems. It can analyze raw dumps, crash dumps, VMware dumps

first we find the information about the os .So here we use the imageinfo plugin .Most often this command is used to identify the operating system, service pack, and hardware architecture (32 or 64 bit), but it also contains other useful information such as the DTB address and time the sample was collected.

we found that the memory dump taken from the Win7SP1x86_23418, Win7SP0x86, Win7SP1x86_24000, Win7SP1x86

And the next step is to find the hivelist.hivelist plugin is used to locate the virtual addresses of registry hives in memory, and the full paths to the corresponding hive on disk, use the hivelist command. If you want to print values from a certain hive, run this command first so you can see the address of the hives.

These two hive address are we need.

To finding the host name we need \REGISTRY\MACHINE\SYSTEM this hive address

Next step is go to that specific hive address and list all keys and subkeys.So we use the -o flag to specify the offset address of the specific hive address .And the printkey flag is used to display the subkeys, values, data, and data types contained within a specified registry key.And here we use the controlset001 subkey.