Tags: forensic

Rating:


|=-----------------------------------------------------------------------=|
|=----------------------=[ BSides Delhi - NTLM ]=------------------------=|
|=------------------Never Too Late Mister - 200 points-------------------=|
|=----------------------=[ @borjmz - ID-10-T Team ]=---------------------=|
|=-----------------------------------------------------------------------=|

------=[Description]=------

My friend John is an environmental activist and a humanitarian. He really hated
the ideology of Thanos from the Avengers: Infinity War. He sucks at programming.
He used too many variables while writing any program. One day, John gave me a
memory dump and asked me to find out what he was doing while he took the dump.
Can you figure it out for me?

------=[Dump Analysis]=------

We found a memory dump that we have to analyze Challenge.raw.

First we get the information from the image

volatility -f Challenge.raw imageinfo

Suggested Profile(s) : Win7SP1x86_23418, Win7SP0x86, Win7SP1x86

When analyzing the memory dump we see that there is a python script on the desktop.
Analyzing the image we see that the script has been executed and returns a

Using Volatility to analyze, we see the output of the script using the following
command

volatility -f Challenge.raw --profile=Win7SP1x86 consoles

C:\Users\hello>C:\Python27\python.exe C:\Users\hello\Desktop\demon.py.txt
335d366f5d6031767631707f

We continued analyzing the image and found the following string

XOR brute force is tested on the hexadecimal chain and we find the last part of
the flag.

IN = 335d366f5d6031767631707f
KEY = 0x02
OUT = 1_4m_b3tt3r}

We're still analyzing the image to find the first chain of the flag.

In this case we use a Mimikatz plugin for Volatility

volatility -f Challenge.raw --profile=Win7SP1x86 mimikatz