# Attaaaaack6

## Background

Q6. What is the full path (including executable name) of the hidden executable?

example : `crew{C:\Windows\System32\abc.exe}`

Author : 0xSh3rl0ck


## Find the flag

Just to sum up what we've found, we found a sussy executable `runddl.exe`.

**In volatility2, we can use plugin `cmdline` to display process command-line arguments:**
```shell
┌[siunam♥Mercury]-(~/ctf/CrewCTF-2023/Forensics/Attaaaaack)-[2023.07.08|18:41:29(HKT)]
└> python2 /opt/volatility/vol.py --profile=Win7SP1x86 -f memdump.raw cmdline
[...]
runddl32.exe pid: 300
Command line : "C:\Users\0XSH3R~1\AppData\Local\Temp\MSDCSC\runddl32.exe"
************************************************************************
notepad.exe pid: 2556
Command line : notepad
************************************************************************
[...]
```

As you can see, the `runddl32.exe`'s full path is `C:\Users\0XSH3R~1\AppData\Local\Temp\MSDCSC\runddl32.exe`.

- **Flag: `crew{C:\Users\0XSH3R~1\AppData\Local\Temp\MSDCSC\runddl32.exe}`**

Original writeup (https://siunam321.github.io/ctf/CrewCTF-2023/Forensics/Attaaaaack1-13/#attaaaaack6).