Thursday, June 4, 2020

Magnet Virtual Summit 2020 CTF (Memory)


Previous: Egg Hunt | iOS
These questions were fairly straightforward if you know how to use Volatility but was a good refresher for me.


Memory
How's Your Memory? (5)

Which memory profile best fits the system?


Win8SP0x64

Win7SP1x86

VistaSP1x64

Win7SP0x86

Win10x86

Win7SP1x64

WinXPSP1x64

Win10x64


Running the imageinfo command through Volatility we see the first suggested profile is Win7SP1x64.


Hash Slinging (10)

What is the LM hash of the user's account?


Using Volatility again we can use the plugin hashdump to pull out the password hash information:

We can see that Warren's LM hash comes right after his user RID of 1000, so it is "aad3b435b51404eeaad3b435b51404ee".


Cache Money (25)

What is Warren's Ignition Casino password? (Case Sensitive!!!!)


Pulling in the memory image into Bulk Extractor, we can pull out email address strings and surrounding text. Knowing we are looking for something related to Ignition Casino, we can do a quick search from the output for "ignition" and see what was the password, WHbigboy123.



Never Tell Me The Odds... (25)

It seems like Warren may have let his addictions slip into his work life... Find the program in question, recover it from memory, and give the SHA1 hash


With the hints of cards and poker, doing a quick userassist dump from Volatility we see he ran IgnitionCasino.exe.



We can then run filescan to pull out offset for the file in question.

Using the dumpfiles command with the offset we can pull out the file directly and hash it.

The SHA1 is 3B7CA3BB8D4FB2B6C287D6A247EFD7C457937A3E


Compilation Station (50)

When was IgnitionCasino.exe compiled? YYYY-MM-DD HH:MM:SS


Dropping IgnitionCasino.exe into PPEE we can see the compile date of 2020-02-12 12:01:35 from the file header.



No comments:

Post a Comment