Category: Digital Forensics

You can download the Memdump-Digital Forensics Challenge, along with all the challenges for the 2016 Greek Qualifier CTF of European Cybersecurity Challenge, in this link. More details on the Greek ECSC 2016 Qualifier CTF event can be found here.

Points: 50

Challenge designer: Panos Lefteris

Description: > Do not trust your tools… INFOrmation is your friend The flag is the NTLM hash of the local admin

____________________________________
||M |||E |||M |||D |||U |||M |||P ||
||__|||__|||__|||__|||__|||__|||__||
|/__\|/__\|/__\|/__\|/__\|/__\|/__\|

Write-up

First we need to know the exact version of the system where the dump was taken.

$ volatility -f ./dump.mem imageinfo
Volatility Foundation Volatility Framework 2.5
INFO    : volatility.debug    : Determining profile based on KDBG search...
          Suggested Profile(s) : VistaSP1x86, Win2008SP1x86, Win2008SP2x86, VistaSP2x86 (Instantiated with Win7SP1x86)
                     AS Layer1 : IA32PagedMemoryPae (Kernel AS)
                     AS Layer2 : FileAddressSpace (/media/sf_Documents/ecsc/qualifiers-2016/dump.mem)
                      PAE type : PAE
                           DTB : 0x185000L
             KUSER_SHARED_DATA : 0xffdf0000L
           Image date and time : 2016-06-05 20:01:39 UTC+0000
     Image local date and time : 2016-06-05 13:01:39 -0700

Now we have the instantiated version Win7SP1x86 and some suggested profiles lets try to dump the NTLM hash with Win7SP1x86

$ export VOLATILITY_PROFILE=Win7SP1x86
$ export VOLATILITY_LOCATION=file:///root/dump.mem
$ volatility hashdump
Volatility Foundation Volatility Framework 2.5
Administrator:500:aad3b435b51404eeaad3b435b51404ee:31d6cfe0d16ae931b73c59d7e0c089c0:::
Guest:501:aad3b435b51404eeaad3b435b51404ee:31d6cfe0d16ae931b73c59d7e0c089c0:::
johndoe:1001:aad3b435b51404eeaad3b435b51404ee:f8f9ecb9ed6a5e1035e3172362d56f64:::
HomeGroupUser$:1002:aad3b435b51404eeaad3b435b51404ee:4a3c64420b77c6202ae8cd7d59953313:::

The flag is: > 31d6cfe0d16ae931b73c59d7e0c089c0

# echo 7eamnull

Share This

Share this post with your friends!