tl;dr - Volatility + Corrupted file analysis
Full solution of Easy Husky challenge from ISITDTU Quals 2019.
Challenge Points: 534
Challenge Solves: 37
Solved by: stuxn3t & Nihith
Challenge Description:
Okay, let us take a look at the challenge file. It is a WindowsXP memory dump.
Let us see the command history using the cmdscan plugin.
They created a directory with the name hu5ky_4nd_f0r3n51c
Okay, let us have a look what files are present in the above-mentioned directory/folder.
The file present in the folder is f149999
So let us dump the file by using the dumpfiles plugin.
As you can see it is reversed RAR archive. Just reverse the bytes to get the proper archive.
So after correcting the archive, we see that it is a locked archive. Hmm, have to search for the password.
Luckily I guessed that the folder-name was in l33t, so it could be the password. Voila, and we got the flag.
ISITDTU{1_l0v3_huskyyyyyyy<3}