index.md
3 KiB2026-06-28 00:00

#Volatility-Traces - MntcrlCTF 2026

June 28, 2026 · Carbo

#Description

It’s been a while since I’ve seen a Volatility challenge.

#Initial Analysis

First, let’s identify the provided file.

file challenge.vmem
challenge.vmem: Windows Event Trace Log

Although file reports it as a Windows Event Trace Log, Volatility is still able to parse it correctly.

Running windows.info confirms that this is a Windows 10 x64 memory image.

vol -f challenge.vmem windows.info

Output (trimmed):

Kernel Base        0xf8000d800000
DTB                0x1ad000
Major/Minor        15.19041
MachineType        34404
SystemTime         2026-05-14 18:11:59+00:00
NtSystemRoot       C:\Windows
...

#Process Enumeration

The next step is to enumerate the running processes.

vol -f challenge.vmem windows.pslist

Among the running processes, mstsc.exe immediately caught my attention because it is the Microsoft Remote Desktop client. Since RDP often stores the remote desktop framebuffer in process memory, dumping it was the most promising approach.

1980    804    mstsc.exe    0xa1897ee82080    ...

mstsc.exe is the Microsoft Remote Desktop client, indicating that the user established an RDP session.

#Dumping the RDP Process

To extract the memory belonging to the RDP client, dump its memory mappings using memmap.

vol -f challenge.vmem windows.memmap --pid 1980 --dump -o dump/

This produces one or more raw memory dump files.

#Recovering the Screen

The dumped memory does not contain a standard image format. Instead, it stores raw pixel data, so we need to import it manually as a raw image.

Open the dumped file in GIMP as a raw image (File → Open As Layers or Open → Select File Type → Raw image data, depending on the version).

Since the dump contains raw pixel data, GIMP will ask for the image dimensions.

The only challenge here is finding the correct width and height. There are only a handful of common screen resolutions, so trying a few combinations quickly reveals the correct image.

Once the correct dimensions are selected, the RDP desktop becomes visible.

#Recovering the QR Code

The recovered desktop contains a partially visible QR code.

Since only a small portion of the QR code is missing, it can be reconstructed manually in any image editor before scanning it.

The decoded QR code contains the flag.

mntcrl{pwnc3tt4_3_p3c0r1n0_1s_th3_b3st_t34m}

~ Carbo