Franks Little Beauty

Description

Frank has never been a “tech person”. He reuses passwords, is too lazy to type, the whole nine yards. And it’s just not tech, he’s blind as a bat and about as sharp as a round ball too. I mean, he doesn’t even know about the shortcut to paddys. Help his son Dennis sift through this memory dump and reconstruct the flag Note: Use the Win7SP1x64 profile to analyse the dump. All relevant files for this challenge are only present in the C drive and in no other drive Memory Dump

Writeup

First lets list the process and its tree

Pslist

Pstree

If you observe closely many notepad.exe were being executed. To know what the user was doing with notepad let’s check cmdline

Cmdline

Okay, some files under Minesweeper directory was being edited. Let’s check if the user has something in clipboard.

Clipboard

so we have the following link Now we have the first part of the flag 1/3 p_ctf{v0l4t1l1ty

Revisiting the Cmdline

In the screenshot there was a process which was used to extract file. Let’s get the rar file

File Scan

Dump file and Extract Attempt

It is password protected. 🤔 Hmm, yea description says the user is habitual to password reuse. Let’s dump is login password. NTLM Hashes

Dump NTLM Hashes

Following hashes were dumped. Now let’s crack it using crackstation NTLM hash structure: uid:rid:lmhash:nthash

Administrator:500:aad3b435b51404eeaad3b435b51404ee:31d6cfe0d16ae931b73c59d7e0c089c0:::
Guest:501:aad3b435b51404eeaad3b435b51404ee:31d6cfe0d16ae931b73c59d7e0c089c0:::
Frank Reynolds:1000:aad3b435b51404eeaad3b435b51404ee:a88d1e18706d3aa676e01e5943d15911:::
HomeGroupUser$:1002:aad3b435b51404eeaad3b435b51404ee:af10ecac6ea817d2bb56e3e5c33ce1cd:::
Dennis:1003:aad3b435b51404eeaad3b435b51404ee:cf96684bbc7877920adaa9663698bf54:::

If you notice properly LMHASH begins with aad3 which means it is empty. So we can use NTHASH to crack the password. and now we found the password to be trolltroll

Extracting RAR file

Let’s extract the RAR compressed file.

We now have part 2/3 of the flag.

Revisiting the description

We are given with the clue paddys. Let’s do a file scan for paddys.

File scan paddys

Dump file and analyze paddys.lnk

If you have noticed it was lnk for sysinfo.txt, which we found earlier in cmdline.

Dump sysinfo.txt

Unfortuantely, memory is volatile. We can’t say for sure which file resides on memory dump. I assume it was deleted or not paged. Let’s try to carve the file data from notepad’s memdump as mentioned by andrea fortuna

Memdump notepad.exe

Let’s dump the process id 3016. Which was working on sysinfo.txt.

Now we have the 3/3 of the flag. Final flag: p_ctf{v0l4t1l1ty_i5_v3ry_h4ndy_at_dump5_iasip}

Description#

Writeup#

Pslist#

Pstree#

Cmdline#

Clipboard#

Revisiting the Cmdline#

File Scan#

Dump file and Extract Attempt#

Dump NTLM Hashes#

Extracting RAR file#

Revisiting the description#

File scan paddys#

Dump file and analyze paddys.lnk#

Dump sysinfo.txt#

Memdump notepad.exe#