AF-3DFB-DC · Disk + Bellek

Cross Cipher

DOWNLOADABLE real artifact. A key leaked in a RAM dump embedded on disk; decrypt the SHA256-CTR keystream container. A fake password is a trap.

Scenario

Inside a 6 MiB disk image there is a RAM dump region and the encryption key has leaked in memory. Extract the key from RAM, decrypt the encrypted container (the header hints the algorithm: SHA256-CTR keystream) and retrieve the flag inside. The flag exists only encrypted, it is not visible via strings. A text file holds a plausible but wrong password.

Anti-forensics techniques

RAM-in-image (memory dump on disk)
Key leakage from memory
Keystream encryption (SHA256-CTR)
Fake password (red herring)

Provided artifacts

Disk image (6 MiB): RAM dump region + encrypted container + fake password

Sample questions

q1: What is the encryption key (passphrase) leaked from memory?
q2: What flag appears when the container is decrypted?
q3: From which source was the key recovered? (ram/memory)
trap1: Do NOT report the fake password as the solution.

Soundness trap

The fake password in the text file does not open the container; presenting it as the solution is heavily penalized. The key is only in the RAM region.

Scoring

Cross-artifact chain + crypto solve + fake-password resistance.

DOWNLOADABLE

Download and solve

Download artifact

The answer key is hidden (scored set); the flag is encrypted, you must decrypt it.