Category: Digital Forensics
You can download the Memdump-Digital Forensics Challenge, along with all the challenges for the 2016 Greek Qualifier CTF of European Cybersecurity Challenge, in this link. More details on the Greek ECSC 2016 Qualifier CTF event can be found here.
Points: 50
Challenge designer: Panos Lefteris
Description: > Do not trust your tools… INFOrmation is your friend The flag is the NTLM hash of the local admin
____________________________________
||M |||E |||M |||D |||U |||M |||P ||
||__|||__|||__|||__|||__|||__|||__||
|/__\|/__\|/__\|/__\|/__\|/__\|/__\|Write-up
First we need to know the exact version of the system where the dump was taken.
$ volatility -f ./dump.mem imageinfo
Volatility Foundation Volatility Framework 2.5
INFO : volatility.debug : Determining profile based on KDBG search...
Suggested Profile(s) : VistaSP1x86, Win2008SP1x86, Win2008SP2x86, VistaSP2x86 (Instantiated with Win7SP1x86)
AS Layer1 : IA32PagedMemoryPae (Kernel AS)
AS Layer2 : FileAddressSpace (/media/sf_Documents/ecsc/qualifiers-2016/dump.mem)
PAE type : PAE
DTB : 0x185000L
KUSER_SHARED_DATA : 0xffdf0000L
Image date and time : 2016-06-05 20:01:39 UTC+0000
Image local date and time : 2016-06-05 13:01:39 -0700Now we have the instantiated version Win7SP1x86 and some suggested profiles lets try to dump the NTLM hash with Win7SP1x86
$ export VOLATILITY_PROFILE=Win7SP1x86
$ export VOLATILITY_LOCATION=file:///root/dump.mem
$ volatility hashdump
Volatility Foundation Volatility Framework 2.5
Administrator:500:aad3b435b51404eeaad3b435b51404ee:31d6cfe0d16ae931b73c59d7e0c089c0:::
Guest:501:aad3b435b51404eeaad3b435b51404ee:31d6cfe0d16ae931b73c59d7e0c089c0:::
johndoe:1001:aad3b435b51404eeaad3b435b51404ee:f8f9ecb9ed6a5e1035e3172362d56f64:::
HomeGroupUser$:1002:aad3b435b51404eeaad3b435b51404ee:4a3c64420b77c6202ae8cd7d59953313:::The flag is: > 31d6cfe0d16ae931b73c59d7e0c089c0
# echo 7eamnull