Magnet Virtual Summit 2020 CTF — Memory
Image: memdump.mem | 224f93209cbea29e862890f30dfa762d
How’s Your Memory?
Which memory profile best fits the system?
We can use the volatility plugin
kdbgscan to determine the suggested memory profile.
vol.py -f memdump.mem imageinfo
The output of imageinfo tells us it is some type of Win 7 or Win Server 2008 OS with 64 bit architecture. Out of the possible answers in the list, the closest is Win7SP1x64.
What is the LM hash of the user’s account?
vol.py -f memdump.mem --profile=Win7SP1x64 hashdump
We can use the profile we determined in the first question in combination with the
hashdump plugin. The format for NTLM hashes are user:rid:lm:nt as seen in the output below:
What is Warren’s Ignition Casino password? (Case Sensitive!!!!)
I started by dumping the Chrome internet history by first using
filescan then finding the offset of the History.dat file to use in the
dumpfiles plugin. I used the Nirsoft ChromeHistoryView tool to view the file.
vol.py -f memdump.mem --profile=Win7SP1x64 filescan > filescan.txtcat filescan.txt | grep Chrome | grep Historyvol.py -f memdump.mem --profile=Win7SP1x64 dumpfiles -Q 0x000000013fdc56b0 -n -D .
In the internet history, it looks like at one point he forgets his password to Ignition Casino and needs to reset it.
I spent a lot of time looking through Chrome and IE memdumps but found a lead in the WinWord.exe memdump hoping the user wrote their password down.
When I tried this however, it was not the right answer. :(
I had bulk_extractor running in the background while I started the other questions. When it was done, I grep-ed over terms like ignition and the users email to see if there were any goodies. After sifting through some data I found a pretty good guess that turned out to be correct.
Never Tell Me The Odds…
It seems like Warren may have let his addictions slip into his work life… Find the program in question, recover it from memory, and give the SHA1 hash
Having a look at the Chrome Downloads (from the History.dat file dumped in the previous question), there is an entry for a Ignition Casino binary.
Here is where the binary was downloaded from.
If we find the offset of the file from the
filescan output, we can use
dumpfiles to extract it. From there, you can use
sha1sum to get the hash.
IgnitionCasino.exe | 3b7ca3bb8d4fb2b6c287d6a247efd7c457937a3e
When was IgnitionCasino.exe compiled? YYYY-MM-DD HH:MM:SS
Using PE-bear we find the time stamp in the headers of the PE.
A: 2020–02–12 12:01:35