Category:

You can download the Memdump- Challenge, along with all the challenges for the 2016 Greek Qualifier of European Challenge, in this link. More details on the Greek ECSC 2016 Qualifier can be found here.

Points: 50

Challenge designer: Panos Lefteris

Description: > Do not trust your tools… INFOrmation is your friend The flag is the NTLM hash of the local admin

____________________________________
||M |||E |||M |||D |||U |||M |||P ||
||__|||__|||__|||__|||__|||__|||__||
|/__\|/__\|/__\|/__\|/__\|/__\|/__\|

First we need to know the exact version of the system where the dump was taken.

$ volatility -f ./dump.mem imageinfo
Volatility Foundation Volatility Framework 2.5
INFO    : volatility.debug    : Determining profile based on KDBG search...
          Suggested Profile(s) : VistaSP1x86, Win2008SP1x86, Win2008SP2x86, VistaSP2x86 (Instantiated with Win7SP1x86)
                     AS Layer1 : IA32PagedMemoryPae (Kernel AS)
                     AS Layer2 : FileAddressSpace (/media/sf_Documents/ecsc/qualifiers-2016/dump.mem)
                      PAE type : PAE
                           DTB : 0x185000L
             KUSER_SHARED_DATA : 0xffdf0000L
           Image date and time : 2016-06-05 20:01:39 UTC+0000
     Image local date and time : 2016-06-05 13:01:39 -0700

Now we have the instantiated version Win7SP1x86 and some suggested profiles lets try to dump the NTLM hash with Win7SP1x86

$ export VOLATILITY_PROFILE=Win7SP1x86
$ export VOLATILITY_LOCATION=file:///root/dump.mem
$ volatility hashdump
Volatility Foundation Volatility Framework 2.5
Administrator:500:aad3b435b51404eeaad3b435b51404ee:31d6cfe0d16ae931b73c59d7e0c089c0:::
Guest:501:aad3b435b51404eeaad3b435b51404ee:31d6cfe0d16ae931b73c59d7e0c089c0:::
johndoe:1001:aad3b435b51404eeaad3b435b51404ee:f8f9ecb9ed6a5e1035e3172362d56f64:::
HomeGroupUser$:1002:aad3b435b51404eeaad3b435b51404ee:4a3c64420b77c6202ae8cd7d59953313:::

The flag is: > 31d6cfe0d16ae931b73c59d7e0c089c0

# echo 7eamnull

Share This

Share this post with your friends!