🕵️ Stealth Invasion – CTF Write-Up

💻 Challenge Background:

Selene's normally secure laptop recently fell victim to a covert attack. A malicious Chrome extension was stealthily installed under the guise of a productivity tool. After noticing unusual network activity, Selene needs to trace the attack, remove the threat, and secure her system.

Our job: analyze the memory dump and recover key pieces of forensic evidence.

📦 Step 1: Initial Analysis

After downloading and extracting the provided file, we identify it as an ELF binary:

file memdump.elf

However, both Volatility and GDB failed to process the dump — likely because this was a Windows memory dump from a WSL (Windows Subsystem for Linux) environment. Binwalk, interestingly, revealed Windows-related content, further hinting at a hybrid memory space.

🔍 Step 2: Switch to Manual Analysis

With automated tools failing, we pivot to manual string analysis:

strings memdump.elf > strings.txt

We perform all analysis from this point forward by searching keywords within strings.txt.

🧩 Answers

1. What is the PID of the Original (First) Google Chrome process:

Search for:

chrome.exe

Look for the first instance of chrome.exe paired with a PID-like pattern.

Example pattern in strings:

chrome.exe --type=...
PID: 3456

2. What is the only Folder on the Desktop:

Search for:

Desktop

Look for a full path such as:

C:\Users\selene\Desktop\MalwareLogs

3. What is the Extension's ID:

Chrome extensions are stored under:

C:\Users\<user>\AppData\Local\Google\Chrome\User Data\Default\Extensions\

Search for this path or look for a 32-character lowercase string (a–p) in the strings.txt:

hlkenndednhfkekhgcdicdfddnkalmdm

4. What is the log filename in which the data is stored:

Search for suspicious filenames in the extension’s strings. You’ll find keylogger-like logs such as:

logX
logY
logZ

The pattern used is consistent, and all logs begin with log.

5. What is the URL the user navigated to:

Found in a keylogger log:

drive.google.comEnter\r\nselene|Shift|@rangers.eldoria.comEnter\r\nclip-mummify-proofs

This shows the user navigating to:

6. What is the password of selene@rangers.eldoria.com:

Same keylog entry shows the password being typed after the email:

clip-mummify-proofs

Typed out character-by-character across multiple lines — classic keylogger dump.

🧠 Final Thoughts

This challenge was unique in that automated tools like Volatility and GDB didn't help. Instead, manual strings analysis saved the day. It’s a great reminder that when tools fail, a trained human eye (and a bit of patience) is often the best tool of all.