CTFtime.org

Window Pains 2

by JaXigt / CTSecUK

Rating:

# Windows Pains 2
![Category](http://img.shields.io/badge/Category-Forensics-orange?style=for-the-badge) ![Points](http://img.shields.io/badge/Points-50-brightgreen?style=for-the-badge)

## Details

One of De Monne's employees had their personal Windows computer hacked by a member of DEADFACE. The attacker managed to exploit a portion of a database backup that contains sensitive employee and customer PII.

> Using the [memory dump file](https://tinyurl.com/wcekj3rt) from Window Pains, submit the victim's computer name.
>
> Submit the flag as `flag{COMPUTER-NAME}`.
---

Using Volatility3 we run `sudo python3 vol.py -f physmemraw windows.envars | grep "COMPUTERNAME" `

```
❯ sudo python3 /opt/volatility3/vol.py -f physmemraw windows.envars | grep "COMPUTERNAME"
568gresswininit.exe 0x2760e6015c0canCOMPUTERNAME DESKTOP-IT8QNRI
644 winlogon.exe 0x2a6290a15c0 COMPUTERNAME DESKTOP-IT8QNRI
668 services.exe 0x18faf803120 COMPUTERNAME DESKTOP-IT8QNRI
708 lsass.exe 0x23442203120 COMPUTERNAME DESKTOP-IT8QNRI
832 svchost.exe 0x1e39d603300 COMPUTERNAME DESKTOP-IT8QNRI
952 svchost.exe 0x1c6c2e03390 COMPUTERNAME DESKTOP-IT8QNRI
996 svchost.exe 0x2da88203300 COMPUTERNAME DESKTOP-IT8QNRI
428 dwm.exe 0x19f91801910 COMPUTERNAME DESKTOP-IT8QNRI
1044 svchost.exe 0x26318003390 COMPUTERNAME DESKTOP-IT8QNRI
1116 svchost.exe 0x1e2ee403300 COMPUTERNAME DESKTOP-IT8QNRI
1168 svchost.exe 0x20d91003300 COMPUTERNAME DESKTOP-IT8QNRI
1220 svchost.exe 0x15525003310 COMPUTERNAME DESKTOP-IT8QNRI
1256 svchost.exe 0x2459fa03380 COMPUTERNAME DESKTOP-IT8QNRI
1264 svchost.exe 0x19f93003380 COMPUTERNAME DESKTOP-IT8QNRI
1272 svchost.exe 0x1bdca403380 COMPUTERNAME DESKTOP-IT8QNRI
1392 svchost.exe 0x1d571403310 COMPUTERNAME DESKTOP-IT8QNRI
1404 svchost.exe 0x1f4e1203380 COMPUTERNAME DESKTOP-IT8QNRI
1412 svchost.exe 0x1e7b6803380 COMPUTERNAME DESKTOP-IT8QNRI
1540 svchost.exe 0x1a786803380 COMPUTERNAME DESKTOP-IT8QNRI
1564 svchost.exe 0x159ed203300 COMPUTERNAME DESKTOP-IT8QNRI
1612 svchost.exe 0x1870f203380 COMPUTERNAME DESKTOP-IT8QNRI
1656 svchost.exe 0x23f7f203380 COMPUTERNAME DESKTOP-IT8QNRI
1664 svchost.exe 0x26d73e03310 COMPUTERNAME DESKTOP-IT8QNRI
1692 svchost.exe 0x1a8ef003310 COMPUTERNAME DESKTOP-IT8QNRI
1924 svchost.exe 0x1cd20c03390 COMPUTERNAME DESKTOP-IT8QNRI
1936 svchost.exe 0x1a5aa203300 COMPUTERNAME DESKTOP-IT8QNRI
2040 svchost.exe 0x28734c03300 COMPUTERNAME DESKTOP-IT8QNRI
1092 svchost.exe 0x1cbca003380 COMPUTERNAME DESKTOP-IT8QNRI
1556 svchost.exe 0x1755a203300 COMPUTERNAME DESKTOP-IT8QNRI
2056 svchost.exe 0x1607a203380 COMPUTERNAME DESKTOP-IT8QNRI
2096 svchost.exe 0x1ddf3203390 COMPUTERNAME DESKTOP-IT8QNRI
2148 svchost.exe 0x202a7c03380 COMPUTERNAME DESKTOP-IT8QNRI
2200 svchost.exe 0x2d055803390 COMPUTERNAME DESKTOP-IT8QNRI
2208 svchost.exe 0x22240603380 COMPUTERNAME DESKTOP-IT8QNRI
2216 svchost.exe 0x1e894203380 COMPUTERNAME DESKTOP-IT8QNRI
2328 svchost.exe 0x20f1a403300 COMPUTERNAME DESKTOP-IT8QNRI
2372 svchost.exe 0x28f6a803300 COMPUTERNAME DESKTOP-IT8QNRI
2552 svchost.exe 0x1d550403380 COMPUTERNAME DESKTOP-IT8QNRI
2612 svchost.exe 0x14190003380 COMPUTERNAME DESKTOP-IT8QNRI
2808 svchost.exe 0x13773603380 COMPUTERNAME DESKTOP-IT8QNRI
2904 svchost.exe 0x24fd7603300 COMPUTERNAME DESKTOP-IT8QNRI
2912 svchost.exe 0x2bf76c03390 COMPUTERNAME DESKTOP-IT8QNRI
2920 svchost.exe 0x1fecc003390 COMPUTERNAME DESKTOP-IT8QNRI
2936 svchost.exe 0x222fd603300 COMPUTERNAME DESKTOP-IT8QNRI
2944 svchost.exe 0x1c6ff003380 COMPUTERNAME DESKTOP-IT8QNRI
2964 svchost.exe 0x2c83dc03300 COMPUTERNAME DESKTOP-IT8QNRI
3048 svchost.exe 0x2274ea03300 COMPUTERNAME DESKTOP-IT8QNRI
3060 svchost.exe 0x19ab5403300 COMPUTERNAME DESKTOP-IT8QNRI
2104 svchost.exe 0x28a0d603300 COMPUTERNAME DESKTOP-IT8QNRI
1620 MsMpEng.exe 0x1d550f71af0 COMPUTERNAME DESKTOP-IT8QNRI
3084 svchost.exe 0x26b1d003300 COMPUTERNAME DESKTOP-IT8QNRI
3112 svchost.exe 0x1e0fe203380 COMPUTERNAME DESKTOP-IT8QNRI
3444 svchost.exe 0x1ac18003300 COMPUTERNAME DESKTOP-IT8QNRI
4016 svchost.exe 0x212bba03380 COMPUTERNAME DESKTOP-IT8QNRI
4180 svchost.exe 0x14aa7203310 COMPUTERNAME DESKTOP-IT8QNRI
4224 svchost.exe 0x2bc54a03300 COMPUTERNAME DESKTOP-IT8QNRI
4412 sihost.exe 0x1c067791ba0 COMPUTERNAME DESKTOP-IT8QNRI
4444 svchost.exe 0x29ca26033c0 COMPUTERNAME DESKTOP-IT8QNRI
4472 svchost.exe 0x2102ac033c0 COMPUTERNAME DESKTOP-IT8QNRI
4916 svchost.exe 0x225e4203300 COMPUTERNAME DESKTOP-IT8QNRI
4944 ctfmon.exe 0x15a6f571ba0 COMPUTERNAME DESKTOP-IT8QNRI
5020 svchost.exe 0x2ad0e603380 COMPUTERNAME DESKTOP-IT8QNRI
4012 explorer.exe 0x5f1bd0 COMPUTERNAME DESKTOP-IT8QNRI
3996 svchost.exe 0x20aec403380 COMPUTERNAME DESKTOP-IT8QNRI
5152 svchost.exe 0x286c08033c0 COMPUTERNAME DESKTOP-IT8QNRI
5300 SearchIndexer. 0x1b74ee01af0 COMPUTERNAME DESKTOP-IT8QNRI
5564 StartMenuExper 0x13e33c03550 COMPUTERNAME DESKTOP-IT8QNRI
5664 RuntimeBroker. 0x227ed8033c0 COMPUTERNAME DESKTOP-IT8QNRI
5780 SearchApp.exe 0x26bb74034f0 COMPUTERNAME DESKTOP-IT8QNRI
6000 RuntimeBroker. 0x1cbeb4033c0 COMPUTERNAME DESKTOP-IT8QNRI
5200 YourPhone.exe 0x23f0e4034d0 COMPUTERNAME DESKTOP-IT8QNRI
6212 RuntimeBroker. 0x1b1968033c0 COMPUTERNAME DESKTOP-IT8QNRI
6340 svchost.exe 0x20510e03380 COMPUTERNAME DESKTOP-IT8QNRI
6752 RuntimeBroker. 0x240440033c0 COMPUTERNAME DESKTOP-IT8QNRI
6844 RuntimeBroker. 0x276c08033c0 COMPUTERNAME DESKTOP-IT8QNRI
6988 SecurityHealth 0x21a797e1c90 COMPUTERNAME DESKTOP-IT8QNRI
7024 SecurityHealth 0x22c36261af0 COMPUTERNAME DESKTOP-IT8QNRI
7132 svchost.exe 0x214cd003310 COMPUTERNAME DESKTOP-IT8QNRI
904 svchost.exe 0x293cc203300 COMPUTERNAME DESKTOP-IT8QNRI
5392 svchost.exe 0x1b733003300 COMPUTERNAME DESKTOP-IT8QNRI
7620 Spotify.exe 0x1c03410 COMPUTERNAME DESKTOP-IT8QNRI
7480 TextInputHost. 0x24f22e03500 COMPUTERNAME DESKTOP-IT8QNRI
3944 dllhost.exe 0x14d8a051ba0 COMPUTERNAME DESKTOP-IT8QNRI
8044 ApplicationFra 0x18d9aac1ba0 COMPUTERNAME DESKTOP-IT8QNRI
7584 svchost.exe 0x1af2da03390 COMPUTERNAME DESKTOP-IT8QNRI
8336 svchost.exe 0x27d7d603300 COMPUTERNAME DESKTOP-IT8QNRI
8584 svchost.exe 0x1f14e203300 COMPUTERNAME DESKTOP-IT8QNRI
8656 svchost.exe 0x20bc9e03380 COMPUTERNAME DESKTOP-IT8QNRI
8696 svchost.exe 0x277312033c0 COMPUTERNAME DESKTOP-IT8QNRI
1700 RuntimeBroker. 0x1d6ec4033c0 COMPUTERNAME DESKTOP-IT8QNRI
9692 svchost.exe 0x1e44aa03300 COMPUTERNAME DESKTOP-IT8QNRI
8020 UserOOBEBroker 0x26cec6c1ba0 COMPUTERNAME DESKTOP-IT8QNRI
9544 ShellExperienc 0x207b1403540 COMPUTERNAME DESKTOP-IT8QNRI
9452 RuntimeBroker. 0x1b6174033c0 COMPUTERNAME DESKTOP-IT8QNRI
1796 powershell.exe 0x2b90ca41c90 COMPUTERNAME DESKTOP-IT8QNRI
8592 conhost.exe 0x23b42571c90 COMPUTERNAME DESKTOP-IT8QNRI
1832 powershell_ise 0x26eddb71c90 COMPUTERNAME DESKTOP-IT8QNRI
9428 svchost.exe 0x1bc78803380 COMPUTERNAME DESKTOP-IT8QNRI
10648 svchost.exe 0x1b7fa203300 COMPUTERNAME DESKTOP-IT8QNRI
10992 conhost.exe 0x240d4f01d00 COMPUTERNAME DESKTOP-IT8QNRI
10284 powershell.exe 0x2192f471ba0 COMPUTERNAME DESKTOP-IT8QNRI
10268 conhost.exe 0x138ee371ba0 COMPUTERNAME DESKTOP-IT8QNRI
10840 svchost.exe 0x1cecbc03300 COMPUTERNAME DESKTOP-IT8QNRI
10500 SearchProtocol 0x254d0f21ba0 COMPUTERNAME DESKTOP-IT8QNRI
4064 svchost.exe 0x26845603300 COMPUTERNAME DESKTOP-IT8QNRI
10008 svchost.exe 0x1fbda203300 COMPUTERNAME DESKTOP-IT8QNRI
5948 svchost.exe 0x2ea60803300 COMPUTERNAME DESKTOP-IT8QNRI
8180 userinit.exe 0x1e1cc0 COMPUTERNAME DESKTOP-IT8QNRI
5864 SearchFilterHo 0x15cacf01ba0 COMPUTERNAME DESKTOP-IT8QNRI
3652 msedge.exe 0x1ef3dc03840 COMPUTERNAME DESKTOP-IT8QNRI
6032 msedge.exe 0x197e0803840 COMPUTERNAME DESKTOP-IT8QNRI
7008 msedge.exe 0x218c3203840 COMPUTERNAME DESKTOP-IT8QNRI
1628 msedge.exe 0x15061c03840 COMPUTERNAME DESKTOP-IT8QNRI
4924 msedge.exe 0x28138a03840 COMPUTERNAME DESKTOP-IT8QNRI
4248 smartscreen.ex 0x20e4c331ba0 COMPUTERNAME DESKTOP-IT8QNRI
32 msedge.exe 0x228b5c03840 COMPUTERNAME DESKTOP-IT8QNRI
2488 msedge.exe 0x184f4e03840 COMPUTERNAME DESKTOP-IT8QNRI
10808 msedge.exe 0x1e564803840 COMPUTERNAME DESKTOP-IT8QNRI
6540 msedge.exe 0x2436ca03840 COMPUTERNAME DESKTOP-IT8QNRI
420 msedge.exe 0x1c6e9803840 COMPUTERNAME DESKTOP-IT8QNRI
10432 notepad.exe 0x168a68a1c90 COMPUTERNAME DESKTOP-IT8QNRI
10748 Calculator.exe 0x267fcc03500 COMPUTERNAME DESKTOP-IT8QNRI
4156 RuntimeBroker. 0x12ffd6033c0 COMPUTERNAME DESKTOP-IT8QNRI
1996 msedge.exe 0x1f70ce03840 COMPUTERNAME DESKTOP-IT8QNRI
992 WWAHost.exe 0x1bb4e003500 COMPUTERNAME DESKTOP-IT8QNRI
5240 msedge.exe 0x24047a03840 COMPUTERNAME DESKTOP-IT8QNRI
5832 msedge.exe 0x20d4d203840 COMPUTERNAME DESKTOP-IT8QNRI
5860 winpmem_mini_x 0x1ef7b0e1c10 COMPUTERNAME DESKTOP-IT8QNRI

```

Here we can clearly see the Computer Name: `DESKTOP-IT8QNRI`

## flag{DESKTOP-IT8QNRI}

Original writeup (https://github.com/CTSecUK/DEADFACE_CTF_2021/blob/main/Write-ups/Forensics/Windows%20Pains%202%20(50%20Points).md).

Comments