Scenario

Using Volatility, utilize your memory analysis skills as a security blue team analyst to investigate the provided Linux memory snapshots and figure out attack details.

Instructions:

• Use the latest version of Volatility, place the attached Volatility profile "Centos7.3.10.1062.zip" in the following path: volatility/volatility/plugins/overlays/linux.

https://cyberdefenders.org/blueteam-ctf-challenges/seized/

note: we have to put the zip file in this path

1- What is the CentOS version installed on the machine?

7.7.1908

the memory profile is labeled Centos7.3.10.1062 we do a google search and found this

https://en.wikipedia.org/wiki/CentOS#CentOS_version_7

2- There is a command containing a strange message in the bash history. Will you be able to read it?

shkCTF{l3ts_st4rt_th3_1nv3st_75cc55476f3dfe1629ac60}