Tags: forensic 


|=----------------------=[ BSides Delhi - NTLM ]=------------------------=|
|=------------------Never Too Late Mister - 200 points-------------------=|
|=----------------------=[ @borjmz - ID-10-T Team ]=---------------------=|


My friend John is an environmental activist and a humanitarian. He really hated
the ideology of Thanos from the Avengers: Infinity War. He sucks at programming.
He used too many variables while writing any program. One day, John gave me a
memory dump and asked me to find out what he was doing while he took the dump.
Can you figure it out for me?

------=[Dump Analysis]=------

We found a memory dump that we have to analyze Challenge.raw.

First we get the information from the image

volatility -f Challenge.raw imageinfo

Suggested Profile(s) : Win7SP1x86_23418, Win7SP0x86, Win7SP1x86

When analyzing the memory dump we see that there is a python script on the desktop.
Analyzing the image we see that the script has been executed and returns a
hexadecimal value.

Using Volatility to analyze, we see the output of the script using the following

volatility -f Challenge.raw --profile=Win7SP1x86 consoles

C:\Users\hello>C:\Python27\python.exe C:\Users\hello\Desktop\demon.py.txt

We continued analyzing the image and found the following string

Thanos = xor and password

XOR brute force is tested on the hexadecimal chain and we find the last part of
the flag.

IN = 335d366f5d6031767631707f
KEY = 0x02
OUT = 1_4m_b3tt3r}

We're still analyzing the image to find the first chain of the flag.

In this case we use a Mimikatz plugin for Volatility

volatility -f Challenge.raw --profile=Win7SP1x86 mimikatz

Module User Domain Password
-------- ---------------- ---------------- ------------------------------------
wdigest hello hello-PC flag{you_are_good_but

And if we put the two flag pieces together, we've got the challenge solved.

Thanks to Wagiro and Patatas


Original writeup (http://for200.borjmz.com/).