Challenge Description
This challenge was a memory analysis challenge where we had to find information hidden in a memory dump of windows.
Tools
- volatility
- Analyze the memory dump
- strings
- Find strings in the memory dump
Procedure
This challenge was not terribly difficult; although, one of the computers had issues running one of the commands. Ironically, the sole Windows computer could not run the ‘windows.hasdump’ function.
Anyways, To start, we wanted to dump all the running processes on the computer.
To do this, we can use the command:
|
|
This produces a list of all the currently running processes on the computer. Because this is windows, there is a lot of bloat. Despite that it shouldn’t be hard to find a process to narrow down on.
|
|
Looking at the processes, notepad stands out as one that could be fishy or have more information in it.
Now that we have a valid target, lets dump it to a separate file to better analyze it.
To do this, we can use the command:
|
|
This will create a new dump file that only contains the memory of the notepad.exe process.
Using this file, we can run the strings command on it as a quick test to see if anything was being typed on it that could be close to a flag.
Running:
|
|
This prints all strings in the notepad memory dump that contain the string “flag”.
There is quite a bit of output, but still at the level that a human can reasonably read it. Looking at it, we find something of interest:
|
|
This is telling us that the flag is the ntlm hash of the user. This is another thing that we should be able to dump from the memory.
Using the command:
|
|
This prints a lot of information to the console.
|
|
We know that the current user is Jimothy; although, there isn’t really another user on this computer.
We can see that the nthash is 80a1850fba580325595eb75c2ec50207
.
Plugging this into the flag format osu{80a1850fba580325595eb75c2ec50207}
,
we submit this it Marvin and it is correct!