This post will be short as it only covers the Memory Section of the Magnet Virtual Summit 2020 CTF and I didn't find all of the solutions. Once again this was my first time analyzing memory, and was mainly completed from notes that I had taken during the presentation by @melton_tarah, and coupling that with prior experience cracking passwords.
Memory
- How's Your Memory? - Which memory profile best fits the system?
Win8SP0x64
Win7SP1x86
VistaSP1x64
Win7SP0x86
Win10x86
Win7SP1x64
WinXPSP1x64
Win10x64
Win7SP1x86
VistaSP1x64
Win7SP0x86
Win10x86
Win7SP1x64
WinXPSP1x64
Win10x64
Win7SP1x64 - The profile is found by using the imageinfo command for Volatility as seen in the image below.
- Hash Slinging - What is the LM hash of the user's account?
aad3b435b51404eeaad3b435b51404ee - This flag is found using the hashdump command in Volatility and then taking the hash from the Warren account.
- Cache Money - What is Warren's Ignition Casino password? (Case Sensitive!!!!)
WHbigboy123 - The lsadump command in Volatility revealed a password of warrenhbigboy123. I then used BulkExtractor to pull strings from the memory with the wordlist function. Once the memory sample was processed in BulkExtractor, I searched for the root word/phrase of "bigboy". This strategy which has been helpful in password cracking competitions as well as defeating encryption during investigations from password re-use paid off once again and the flag was found (as seen in the image below).
- Never Tell Me The Odds... - It seems like Warren may have let his addictions slip into his work life... Find the program in question, recover it from memory, and give the SHA1 hash.
I did not find this solution...
No comments:
Post a Comment