Hacked | Webby

Challenge Description

This challenge was a memory analysis challenge where we had to find information hidden in a memory dump of windows.

Tools

volatility
- Analyze the memory dump
strings
- Find strings in the memory dump

Procedure

This challenge was not terribly difficult; although, one of the computers had issues running one of the commands. Ironically, the sole Windows computer could not run the ‘windows.hasdump’ function.

Anyways, To start, we wanted to dump all the running processes on the computer.

To do this, we can use the command:

1

 python3 volatility3-2.4.0/vol.py -f memory_dump.raw windows.psinit

This produces a list of all the currently running processes on the computer. Because this is windows, there is a lot of bloat. Despite that it shouldn’t be hard to find a process to narrow down on.

 1
 2
 3
 4
 5
 6
 7
 8
 9
10
11


Volatility 3 Framework 2.4.0
Progress:  100.00		PDB scanning finished                        
PID	PPID	ImageFileName	Offset(V)	Threads	Handles	SessionId	Wow64	CreateTime	ExitTime	File output
...
4156	836	RuntimeBroker.	0xd08ae7221080	7	-	3	False	2023-02-06 10:12:27.000000 	N/A	Disabled
7792	836	RuntimeBroker.	0xd08ae7297080	2	-	3	False	2023-02-06 10:12:29.000000 	N/A	Disabled
3816	5820	winpmem_mini_x	0xd08ae73c6080	3	-	1	False	2023-02-06 20:43:21.000000 	N/A	Disabled
1348	4196	notepad.exe	0xd08ae7bb3080	1	-	3	False	2023-02-06 20:28:10.000000 	N/A	Disabled
4204	5820	conhost.exe	0xd08ae7bb9080	4	-	1	False	2023-02-06 10:16:05.000000 	N/A	Disabled
2768	836	ShellExperienc	0xd08ae7bcf080	18	-	3	False	2023-02-06 10:12:27.000000 	N/A	Disabled
8164	2264	sihost.exe	0xd08ae86d3080	9	-	3	False	2023-02-06 10:12:25.000000 	N/A	Disabled

Looking at the processes, notepad stands out as one that could be fishy or have more information in it.

Now that we have a valid target, lets dump it to a separate file to better analyze it.

To do this, we can use the command:

1

 python path/to/vol.py -f ./memory_dump.raw memmap --pid 1349 --dump

This will create a new dump file that only contains the memory of the notepad.exe process.

Using this file, we can run the strings command on it as a quick test to see if anything was being typed on it that could be close to a flag.

Running:

1

 strings pid.1348.dmp| grep flag

This prints all strings in the notepad memory dump that contain the string “flag”.

There is quite a bit of output, but still at the level that a human can reasonably read it. Looking at it, we find something of interest:

1
2
3
4
5


flags
The flag is the ntlm hash of the user wrapped.
Ex: flag{miH7CvSGyutSFtQB6w3AshXaDjbuqktXUQ}
The flag is the ntlm hash of the user wrapped.
Ex: flag{miH7CvSGyutSFtQB6w3AshXaDjbuqktXUQ}

This is telling us that the flag is the ntlm hash of the user. This is another thing that we should be able to dump from the memory.

Using the command:

1

 python3 volatility3-2.4.0/vol.py -f memory_dump.raw windows.hashdump

This prints a lot of information to the console.

1
2
3
4
5
6
7
8
9


Volatility 3 Framework 2.4.0
Progress:  100.00		PDB scanning finished                        
User			rid	lmhash					nthash

Administrator		500	aad3b435b51404eeaad3b435b51404ee	296788975c1ce6fafb8221f54f5aa68c
Guest			501	aad3b435b51404eeaad3b435b51404ee	31d6cfe0d16ae931b73c59d7e0c089c0
DefaultAccount		503	aad3b435b51404eeaad3b435b51404ee	31d6cfe0d16ae931b73c59d7e0c089c0
WDAGUtilityAccount	504	aad3b435b51404eeaad3b435b51404ee	67594cc62423c1d68acd9b5620eec6d0
Jimothy			1000	2d60630381393c46ac2e9b858d5427bc	80a1850fba580325595eb75c2ec50207

We know that the current user is Jimothy; although, there isn’t really another user on this computer. We can see that the nthash is 80a1850fba580325595eb75c2ec50207.

Plugging this into the flag format osu{80a1850fba580325595eb75c2ec50207}, we submit this it Marvin and it is correct!