On a client computer of a merchandise transport company, an employee realized that a command prompt containing commands appeared on the screen. The company contacted NianSec, a computer security company to assess the risk. John, trainee, was tasked to retrieve the memory of the windows system. By mistake, he only extracted the pagefile of the system before turning off the machine. You must retrace the attack and understand what happened on the machine.
Okay, we got pagefile. After a some magic with “strings and grep”, I noticed very important words in task summary:
command prompt containing commands appeared on the screen
After this I tried to google some info about restoring data from page file and saw interesting idea (http://blog.roberthaist.com/2013/12/restoring-windows-cmd-sessions-from-pagefile-sys-2/). And… Wait… Why just not to try to search welcome string of cmd.exe ? Nice job! It looks like that we found telnet to the server with entered credentials and strange output from the server.
Neither 04c0f778e6dd6c0a or 200020012002 or 025e48c9f5f22f87 is not flag, but 04c0f778e6dd6c0a025e48c9f5f22f87 it is ;)