# Attaaaaack3

## Background

Q3. i think the user left note on the machine. can you find it ?

Author : 0xSh3rl0ck


## Find the flag

**In volatility2, there's a plugin called `clipboard`, which will dump all the clipboard buffer. (Only volatility2 has this)**
```shell
┌[siunam♥Mercury]-(~/ctf/CrewCTF-2023/Forensics/Attaaaaack)-[2023.07.08|18:06:22(HKT)]
└> python2 /opt/volatility/vol.py --profile=Win7SP1x86 -f memdump.raw clipboard
Volatility Foundation Volatility Framework 2.6.1
Session WindowStation Format Handle Object Data
---------- ------------- ------------------ ---------- ---------- --------------------------------------------------
1 WinSta0 CF_UNICODETEXT 0xa00d9 0xfe897838 1_l0v3_M3m0ry_F0r3ns1cs_S0_muchhhhhhhhh
1 WinSta0 0x0L 0x10 ----------
1 WinSta0 0x2000L 0x0 ----------
1 WinSta0 0x0L 0x3000 ----------
1 ------------- ------------------ 0x1a02a9 0xfe670a68
1 ------------- ------------------ 0x100067 0xffbab448
```

Nice! We found that weird text!

- **Flag: `crew{1_l0v3_M3m0ry_F0r3ns1cs_S0_muchhhhhhhhh}`**

Original writeup (https://siunam321.github.io/ctf/CrewCTF-2023/Forensics/Attaaaaack1-13/#attaaaaack3).