Magnet Virtual Summit 2020 CTF — Memory

How’s Your Memory?

Which memory profile best fits the system?

vol.py -f memdump.mem imageinfo

Hash Slinging

What is the LM hash of the user’s account?

vol.py -f memdump.mem --profile=Win7SP1x64 hashdump
Administrator:500:aad3b435b51404eeaad3b435b51404ee:31d6cfe0d16ae931b73c59d7e0c089c0:::
Guest:501:aad3b435b51404eeaad3b435b51404ee:31d6cfe0d16ae931b73c59d7e0c089c0:::
Warren:1000:aad3b435b51404eeaad3b435b51404ee:2aa81fb8c8cdfd8f420f7f94615036b0:::

Cache Money

What is Warren’s Ignition Casino password? (Case Sensitive!!!!)

vol.py -f memdump.mem --profile=Win7SP1x64 filescan > filescan.txtcat filescan.txt | grep Chrome | grep Historyvol.py -f memdump.mem --profile=Win7SP1x64 dumpfiles -Q 0x000000013fdc56b0 -n -D .

Never Tell Me The Odds…

It seems like Warren may have let his addictions slip into his work life… Find the program in question, recover it from memory, and give the SHA1 hash

IgnitionCasino.exe | 3b7ca3bb8d4fb2b6c287d6a247efd7c457937a3e

Compilation Station

When was IgnitionCasino.exe compiled? YYYY-MM-DD HH:MM:SS

--

--

Get the Medium app

A button that says 'Download on the App Store', and if clicked it will lead you to the iOS App store
A button that says 'Get it on, Google Play', and if clicked it will lead you to the Google Play store