CIA
Initializing Cyber Invasion
Home Shinigami Soul Society Archives Contact Enlist →
Back to Writeups
Writeup

Mem_Ready to Send

Memory forensics writeup for recovering a Base64 staged exfiltration payload hidden behind a SYSLOG marker.

EWU National ROBOFESTMemory ForensicsBase64CTF

Overview

The Mem_Ready to Send challenge required analysis of a raw memory image to locate data staged before exfiltration. The payload was disguised as a system log entry inside memory associated with conhost.exe.

By extracting printable strings, filtering for the SYSLOG marker, and decoding the Base64 payload, the hidden flag was recovered.

Challenge Name: Mem_Ready to Send
Category: Memory Forensics
Points: 400
Artifact: Shadow_Memory.raw
Process Hint: conhost.exe
Encoding: Base64
Recovered Flag: ROBOFEST{b4s364_1n_m3m0ry_3xf1l}

Objective

The goal was to identify the staged exfiltration payload inside the memory dump, determine its encoding, decode it, and submit the recovered flag.

Tools Used

strings  Extract printable strings from the raw memory image
grep     Filter extracted strings for log-related indicators
awk      Extract the encoded value after the SYSLOG marker
base64   Decode the staged payload into readable flag content

Investigation

Because the challenge described the payload as a system log entry, the first step was to extract printable strings from the memory image and search for log-related markers.

strings -a Shadow_Memory.raw | grep -i "syslog"

This returned a suspicious entry:

[SYSLOG]: Uk9CT0ZFU1R7YjRzMzY0XzFuX20zbTByeV8zeGYxbH0=

The value after the SYSLOG prefix had the usual shape of Base64 encoded data: printable alphanumeric characters with padding at the end.

Uk9CT0ZFU1R7YjRzMzY0XzFuX20zbTByeV8zeGYxbH0=

Decoding it produced the flag.

echo 'Uk9CT0ZFU1R7YjRzMzY0XzFuX20zbTByeV8zeGYxbH0=' | base64 -d
ROBOFEST{b4s364_1n_m3m0ry_3xf1l}

One-Line Solution

strings -a Shadow_Memory.raw | grep -i "syslog" | awk -F': ' '{print $2}' | base64 -d

Python Reproduction

#!/usr/bin/env python3
import base64
import re
import sys

if len(sys.argv) != 2:
    print(f"Usage: python3 {sys.argv[0]} Shadow_Memory.raw")
    sys.exit(1)

path = sys.argv[1]

with open(path, "rb") as f:
    data = f.read()

strings = re.findall(rb"[\x20-\x7e]{6,}", data)
b64_re = re.compile(rb"\[SYSLOG\]:\s*([A-Za-z0-9+/=]{16,})")

for s in strings:
    match = b64_re.search(s)
    if not match:
        continue

    payload = match.group(1)

    try:
        decoded = base64.b64decode(payload, validate=True)
    except Exception:
        continue

    if b"ROBOFEST{" in decoded:
        print("[+] SYSLOG entry:", s.decode(errors="ignore"))
        print("[+] Base64:", payload.decode())
        print("[+] Decoded:", decoded.decode(errors="ignore"))

Why This Worked

Memory captures preserve process buffers, command output, and printable data that may never appear as files on disk. Here, the staged payload was left in RAM with a believable SYSLOG prefix. String extraction exposed the fake log entry, and Base64 decoding revealed the original payload.

Final Flag

ROBOFEST{b4s364_1n_m3m0ry_3xf1l}