Open in app

Sign in

Write

Sign in

Magnet Virtual Summit 2020 CTF — Memory

svch0st
3 min readJun 2, 2020

--

Image: memdump.mem | 224f93209cbea29e862890f30dfa762d

How’s Your Memory?

Which memory profile best fits the system?

We can use the volatility plugin imageinfo and kdbgscan to determine the suggested memory profile.

vol.py -f memdump.mem imageinfo

The output of imageinfo tells us it is some type of Win 7 or Win Server 2008 OS with 64 bit architecture. Out of the possible answers in the list, the closest is Win7SP1x64.

A: Win7SP1x64

Hash Slinging

What is the LM hash of the user’s account?

vol.py -f memdump.mem --profile=Win7SP1x64 hashdump

We can use the profile we determined in the first question in combination with the hashdump plugin. The format for NTLM hashes are user:rid:lm:nt as seen in the output below:

Administrator:500:aad3b435b51404eeaad3b435b51404ee:31d6cfe0d16ae931b73c59d7e0c089c0:::
Guest:501:aad3b435b51404eeaad3b435b51404ee:31d6cfe0d16ae931b73c59d7e0c089c0:::
Warren:1000:aad3b435b51404eeaad3b435b51404ee:2aa81fb8c8cdfd8f420f7f94615036b0:::

A: aad3b435b51404eeaad3b435b51404ee

Cache Money

What is Warren’s Ignition Casino password? (Case Sensitive!!!!)

I started by dumping the Chrome internet history by first using filescan then finding the offset of the History.dat file to use in the dumpfiles plugin. I used the Nirsoft ChromeHistoryView tool to view the file.

vol.py -f memdump.mem --profile=Win7SP1x64 filescan > filescan.txtcat filescan.txt | grep Chrome | grep Historyvol.py -f memdump.mem --profile=Win7SP1x64 dumpfiles -Q 0x000000013fdc56b0 -n -D .

In the internet history, it looks like at one point he forgets his password to Ignition Casino and needs to reset it.

I spent a lot of time looking through Chrome and IE memdumps but found a lead in the WinWord.exe memdump hoping the user wrote their password down.

wow_this_is_an_uncrackable_password

When I tried this however, it was not the right answer. :(

I had bulk_extractor running in the background while I started the other questions. When it was done, I grep-ed over terms like ignition and the users email to see if there were any goodies. After sifting through some data I found a pretty good guess that turned out to be correct.

A: WHbigboy123

Never Tell Me The Odds…

It seems like Warren may have let his addictions slip into his work life… Find the program in question, recover it from memory, and give the SHA1 hash

Having a look at the Chrome Downloads (from the History.dat file dumped in the previous question), there is an entry for a Ignition Casino binary.

Here is where the binary was downloaded from.

If we find the offset of the file from the filescan output, we can use dumpfiles to extract it. From there, you can use sha1sum to get the hash.

IgnitionCasino.exe | 3b7ca3bb8d4fb2b6c287d6a247efd7c457937a3e

A: 3b7ca3bb8d4fb2b6c287d6a247efd7c457937a3e

Compilation Station

When was IgnitionCasino.exe compiled? YYYY-MM-DD HH:MM:SS

Using PE-bear we find the time stamp in the headers of the PE.

A: 2020–02–12 12:01:35

Dfir
Forensics
Ctf

--

--

svch0st

Written by svch0st

307 Followers

Help

Status

About

Careers

Press

Blog

Privacy

Terms

Text to speech

Teams