| Récupérer un fichier sur le bureau de l’utilisateur |
| evilmorty.dmp |
Show me what you got
switch :: ~/CTF/inter_iut/morty » file evilmorty.dmp
evilmorty.dmp: MS Windows 32bit crash dump, PAE, full dump
switch :: ~/CTF/inter_iut/morty » volatility -f evilmorty.dmp --profile=Win7SP1x86_23418 filescan | grep Desktop
Volatility Foundation Volatility Framework 2.6
0x0000000015610038 2 1 R--rwd \Device\HarddiskVolume2\Users\Public\Desktop
0x00000000188c8438 1 1 R--r-- \Device\HarddiskVolume2\Users\Bonjour\Desktop\confidentiel.pdf
switch :: ~/CTF/inter_iut/morty » volatility -f evilmorty.dmp --profile=Win7SP1x86_23418 dumpfiles -Q 0x00000000188c8438 -D .
switch :: ~/CTF/inter_iut/morty » file file.None.0x84f03378.dat
file.None.0x84f03378.dat: PDF document, version 1.4
10615
HTB