CyberTalents - Monaliza

1 minute read

1- we will unzip the folder we will notice that the extension of the extracted file is monaliza.mem

2- what is .mem extension ? it’s image of memory dump , so we will use this awesome tool Volatility to investigate it.

3- we will use imageinfo to see the suggested profile of the memory dump as we see : 2

it’s WinXPSP2x86.

4- then we will see the processes that were opened while the memory aquisition with pslist as we see : 2 That’s many processes to investigate


but wait don’t forget that the name of the challenge is Monaliza , so we will just see mspaint.exe


5- then we will dump the process with memdump -p 800 (which is process id) -D (where you want to dump it) as we see : 4 the dumped process will be with extension .dmp

6- then we will use Gimp tool to open it but first we need to change the extension to .data to open the raw data with Gimp. after playing with the offset too much time :(.


then i find it



then we will rotate the image and we will get the flag :), i’ll not write the flag to try it and learn without just copying it :).

Hope You Enjoy This.