Forensics – EzDump-Compromised

EzDump - Compromised writeup by srdnlen

Category: FORENSICS. Solves: 35 Points: 200


We do not understand. We changed the password of k3vin but it look's like someone can still access his account.

Can you please find out how the hacker did ?

The dump is the same as the one from EzDump - Build me.


This is the 4th level of the EzDump challenge series. We have a dump of a ram memory of a CentOS system, (dump.mem). In previous challenges we built the dump profile for volatility and analyzed the processes. We discovered a user which has as nickname k3vin. At first we thought about using volatility to find the flag but at the end we found it with a completely different process.

To find the challenge flag you need to use strings and grep on the dump.mem file

strings dump.mem | grep k3vin

after which a large amount of text will appear, looking in the text we can find this string

# Well played : c2hrQ1RGe3JjLmwwYzRsXzFzX2Z1bm55X2JlMjQ3MmNmYWVlZDQ2N2VjOWNhYjViNWEzOGU1ZmEwfQo=

is a base64, let’s decode with a online tool


Lascia un commento

Il tuo indirizzo email non sarà pubblicato. I campi obbligatori sono contrassegnati *