Challenge Description

  • Difficulty : Medium
  • Points : 250
  • Categoty : DFIR

Walkthrough

We are given with a memory dump and we are asked to recover a password from the memory dump.

I used Volatility to analyse the memory dump.

First step was to find more information about the memory dump.

  • vol.py -f mem.raw imageinfo

Image Info

Find list of running processes.

  • vol.py -f mem.raw --profile=Win7SP1x64 pslist

PS List

  • vol.py -f mem.raw --profile=Win7SP1x64 psxview

PS Tree View

After reviewing list of running processes and not finding any interesting processes, I proceeded to search filesystem for all the files and filtered for files with filename containing string flag which revealed flag.rar file at the following path - C:\Users\Machine\Desktop\CTF\flag.rar.

  • vol.py -f mem.raw --profile=Win7SP1x64 filescan | grep flag

Flag.rar

Two instances of the same file was found at different offsets. The following command was used to dump both the files.

  • vol.py -f mem.raw --profile=Win7SP1x64 dumpfiles -Q 0x000000001bbff9c0 --name flag1.rar -D ./flag
  • vol.py -f mem.raw --profile=Win7SP1x64 dumpfiles -Q 0x000000002639ddd0 --name flag2.rar -D ./flag

Export Flag

One of the flag.rar was corrupted and the other one contained flag.txt. But this one was protected with password.

Protected Rar

We need to find the password for the flag.rar file.

I was hoping to find the password in the lsass.exe process memory and proceeded to dump any credentials, hashes with below commands.

  • vol.py -f mem.raw --profile=Win7SP1x64 hashdump

Hashdump

  • vol.py -f mem.raw --profile=Win7SP1x64 cachedump
  • vol.py -f mem.raw --profile=Win7SP1x64 lsadump

Nothing useful were obtained from lsadump and cachedump.

Cachedump LSA Dump

However, hashdump reveals the user account NTLM hashes.

Administrator:500:aad3b435b51404eeaad3b435b51404ee:31d6cfe0d16ae931b73c59d7e0c089c0:::
Guest:501:aad3b435b51404eeaad3b435b51404ee:31d6cfe0d16ae931b73c59d7e0c089c0:::
Machine:1000:aad3b435b51404eeaad3b435b51404ee:5fbc3d5fec8206a30f4b6c473d68ae76:::

The Machine user account NTLM hash was cracked and found to be pass123. Cracking was done with the help of crackstation.net as well as JohnTheRipper.

Crackstation.net

JTR

I was hoping that this would be the password for the flag.rar file, but it was not. Further investigation was required.

There were traces in the memory dump of the user downloading the flag.rar file from one of the internal servers http://192.168.174.211:8000/flag.rar. My assumption was that the user might have set the password for flag.rar using winrar after downloading from the server.

Checking the the last commands run by the user using the cmdline plugin.

  • vol.py -f mem.raw --profile=Win7SP1x64 cmdline

CMD 1

CMD 2

CMD 3

It does not seem like user executed winrar from command line as evident from above screenshots.

Finally, while looking at environment variables of lsass.exe process, I noticed an odd string which is clearly out of place.

  • vol.py -f mem.raw --profile=Win7SP1x64 envars -p 448

Password

Password: Ittm1Fc7hcuFrLZIQmxs

This password actually worked for the rar file and was able to view the flag.txt.

Flag

Flag: Password_hints_are_the_retrievable