NITCTF Breach 2

Mon, 22 Jun 2026 12:09:45 +0100

NIT Breach 2 — Memory Forensics Writeup

category: forensics / memory Analysis Tooling: Volatility 3 Image: nit_breach_2.raw (Ubuntu Linux memory dump) Flag: nmctf{num1d14n_m3m0ry_s3cr3t_7c2b8a}

first instincts

I ran strings on the image, grepped for “nmctf{” but found nothing, afterwards i ran strings and grepped for “classified_secrets”

strings -t d nit_breach_2.raw | grep -iE "classified_secrets"

got:

321038056 ./nit_numidian_db/classified_secrets

next thing i did was regex scan for “classified_secrets”

python3 vol.py -f nit_breach_2.raw linux.vmaregexscan.VmaRegExScan --pattern "classified_secrets"

3105 mariadbd 0x791e544ec4ac classified_secrets 63 6c 61 73 73 69 66 69 65 64 5f 73 65 63 72 65 74 73

aha! the process is mariadbd, with PID 3105
now we know wassup, we start our digging.

Step 1 — Find the MariaDB process (`PsList`)

python3 vol.py -f nit_breach_2.raw linux.pslist.PsList | grep -iE "maria|mysql"

0x8b10029f5200 3105 3105 1 mariadbd ... 2026-06-18 17:50:00 UTC Disabled

made sure mariadb is running as: mariadbd, PID 3105.

vanir's blog

NITCTF Breach 2

NIT Breach 2 — Memory Forensics Writeup

first instincts

aha! the process is mariadbd, with PID 3105 now we know wassup, we start our digging.

Step 1 — Find the MariaDB process (PsList)

aha! the process is mariadbd, with PID 3105
now we know wassup, we start our digging.

Step 1 — Find the MariaDB process (`PsList`)