FwordCTF 2020 - Memory (Forensics)

We have to find the three below.

1) computername

2) user

3) password

---

To obtain OS info, ran plugin 'imageinfo'

.\volatility_2.6_win64_standalone.exe -f .\foren.raw imageinfo

First, let's print out a list of processes through the pslist plug-in.

.\volatility_2.6_win64_standalone.exe -f .\foren.raw --profile=Win7SP1x64 pslist

 

I found a suspicious 'DumpIt.exe' on the full list.

The PID for 'DumpIt.exe' is 1764. Let's use the memdump plugin to dump

.\volatility_2.6_win64_standalone.exe -f .\foren.raw --profile=Win7SP1x64 memdump --pid=1764 --dump-dir=./

The 1764.dmp file was created, and we'll try to extract the string from it into the 1764.txt file.

Searched 'COMPUTER' and 'USERNAME' on 1764.txt and found COMPUTERNAME and USERNAME easily.

flag: FwordCTF{FORENWARMUP_SBA_AK_password}

---

Now, we will find the password for the SBA_AK account.

I will go back to the 'foren.raw' file and use the 'hivelist' plug-in to get the address of the SAM registry and SYSTEM registry.

.\volatility_2.6_win64_standalone.exe -f .\foren.raw --profile=Win7SP1x64 hivelist

First, we will use the 'hashdump' plug-in to get the hash value of the password.

At this time, SYSTEM's offset will be added through the '-y' option and SAM's offset will be added through the '-o' option.

.\volatility_2.6_win64_standalone.exe -f .\foren.raw --profile=Win7SP1x64 hashdump -y 0xfffff8a000024010 -s 0xfffff8a0014da410

 

We will crack the 32-digit MD5 hash value of the 'SBA_AK' printed like this.

Used this site.

Decrypt MD5, SHA1, MySQL, NTLM, SHA256, SHA512, Wordpress, Bcrypt hashes for free online

Enter a hash value to see the password for SBA_AK.

flag: FwordCTF{FORENWARMUP_SBA_AK_password123}