Friday, June 5, 2020

#MVS2020CTF Write-Up (Memory)

This post will be short as it only covers the Memory Section of the Magnet Virtual Summit 2020 CTF and I didn't find all of the solutions.  Once again this was my first time analyzing memory, and was mainly completed from notes that I had taken during the presentation by @melton_tarah, and coupling that with prior experience cracking passwords. 

Memory
  • How's Your Memory? - Which memory profile best fits the system?
 Win8SP0x64
 Win7SP1x86
 VistaSP1x64
 Win7SP0x86
 Win10x86
 Win7SP1x64
 WinXPSP1x64
 Win10x64

Win7SP1x64 - The profile is found by using the imageinfo command for Volatility as seen in the image below. 



  • Hash Slinging - What is the LM hash of the user's account?
aad3b435b51404eeaad3b435b51404ee - This flag is found using the hashdump command in Volatility and then taking the hash from the Warren account.


  • Cache Money - What is Warren's Ignition Casino password? (Case Sensitive!!!!)
WHbigboy123 - The lsadump command in Volatility revealed a password of warrenhbigboy123.  I then used BulkExtractor to pull strings from the memory with the wordlist function.  Once the memory sample was processed in BulkExtractor, I searched for the root word/phrase of "bigboy".  This strategy which has been helpful in password cracking competitions as well as defeating encryption during investigations from password re-use paid off once again and the flag was found (as seen in the image below).



  • Never Tell Me The Odds... - It seems like Warren may have let his addictions slip into his work life... Find the program in question, recover it from memory, and give the SHA1 hash.
I did not find this solution...

No comments:

Post a Comment

#MVS2020CTF Write-Up (iOS)

Here is the last Write-Up for the #MVS2020CTF.  During the live competition, I wasn't aware of any "free" tools to analyze iOS...