The Art of Capture Discussion [FORENSICS] [HINTS] [HTB]

Thank’s for the info …

After extracting rev.exe (shell.exe), I run it and attach a debugger. I see the contents of the decrypted shellcode in 1400014B0 but I still don’t see any flag there. Any ideas?

The shellcode is encrypted, which may be why you can’t read the flag. Run the executable and check the memory image strings via Process Hacker. You’ll find it.

I’m running rev.exe, and open it with process hacker. Go to memory tab. Analyze strings. I don’t see anything that resembles the second half of a flag. Is it encrypted too? I see references to an IP my machine doesn’t have, and a long string that has underscores and hyphens.

There’s an option before scanning the strings called image strings. Tick the image option and then run it.
Search for }

1 Like

Yeah the image (0x140000000) is the only check I have enabled and I still don’t see any flag-looking string. I must be doing something wrong here. I’ll try again tomorrow and retrieve all artifacts from scratch again :slight_smile:

Exclusive content for this challenge will be available soon.

Exclusive content is now available for The Art of Capture.

What is Exclusive Content?


You can still ask for help and specific hints in this thread.