Magnet Virtual Summit 2020 CTF — Memory

Image: memdump.mem | 224f93209cbea29e862890f30dfa762d

How’s Your Memory?

We can use the volatility plugin imageinfo and kdbgscan to determine the suggested memory profile.

vol.py -f memdump.mem imageinfo

The output of imageinfo tells us it is some type of Win 7 or Win Server 2008 OS with 64 bit architecture. Out of the possible answers in the list, the closest is Win7SP1x64.

A: Win7SP1x64

Hash Slinging

vol.py -f memdump.mem --profile=Win7SP1x64 hashdump

We can use the profile we determined in the first question in combination with the hashdump plugin. The format for NTLM hashes are user:rid:lm:nt as seen in the output below:

Administrator:500:aad3b435b51404eeaad3b435b51404ee:31d6cfe0d16ae931b73c59d7e0c089c0:::
Guest:501:aad3b435b51404eeaad3b435b51404ee:31d6cfe0d16ae931b73c59d7e0c089c0:::
Warren:1000:aad3b435b51404eeaad3b435b51404ee:2aa81fb8c8cdfd8f420f7f94615036b0:::

A: aad3b435b51404eeaad3b435b51404ee

Cache Money

I started by dumping the Chrome internet history by first using filescan then finding the offset of the History.dat file to use in the dumpfiles plugin. I used the Nirsoft ChromeHistoryView tool to view the file.

vol.py -f memdump.mem --profile=Win7SP1x64 filescan > filescan.txtcat filescan.txt | grep Chrome | grep Historyvol.py -f memdump.mem --profile=Win7SP1x64 dumpfiles -Q 0x000000013fdc56b0 -n -D .

In the internet history, it looks like at one point he forgets his password to Ignition Casino and needs to reset it.

I spent a lot of time looking through Chrome and IE memdumps but found a lead in the WinWord.exe memdump hoping the user wrote their password down.

wow_this_is_an_uncrackable_password

When I tried this however, it was not the right answer. :(

I had bulk_extractor running in the background while I started the other questions. When it was done, I grep-ed over terms like ignition and the users email to see if there were any goodies. After sifting through some data I found a pretty good guess that turned out to be correct.

A: WHbigboy123

Never Tell Me The Odds…

Having a look at the Chrome Downloads (from the History.dat file dumped in the previous question), there is an entry for a Ignition Casino binary.

Here is where the binary was downloaded from.

If we find the offset of the file from the filescan output, we can use dumpfiles to extract it. From there, you can use sha1sum to get the hash.

IgnitionCasino.exe | 3b7ca3bb8d4fb2b6c287d6a247efd7c457937a3e

A: 3b7ca3bb8d4fb2b6c287d6a247efd7c457937a3e

Compilation Station

Using PE-bear we find the time stamp in the headers of the PE.

A: 2020–02–12 12:01:35