CTFtime.org

Not So Complicated

by JaXigt / CTSecUK

Rating:

# Not So Complicated
![Category](http://img.shields.io/badge/Category-Exploitation-orange?style=for-the-badge) ![Points](http://img.shields.io/badge/Points-10-brightgreen?style=for-the-badge)

## Details

>Using the [memory dump file](https://tinyurl.com/wcekj3rt) from **Window Pains**, crack and submit Jimmie's password.
>
>Submit the flag as
>
>flag{cleartext_password}.

---

Using Volatility3....

```
sudo python3 /opt/volatility3/vol.py -f physmemraw windows.hashdump
```

```
Volatility 3 Framework 2.0.0
Progress: 100.00 PDB scanning finished
User rid lmhash nthash

Administrator 500 aad3b435b51404eeaad3b435b51404ee 31d6cfe0d16ae931b73c59d7e0c089c0
Guest 501 aad3b435b51404eeaad3b435b51404ee 31d6cfe0d16ae931b73c59d7e0c089c0
DefaultAccount 503 aad3b435b51404eeaad3b435b51404ee 31d6cfe0d16ae931b73c59d7e0c089c0
WDAGUtilityAccount 504 aad3b435b51404eeaad3b435b51404ee 0b51f04cf2a0d8f6f4469cd628a78776
Jimmie 1001 aad3b435b51404eeaad3b435b51404ee 0d757ad173d2fc249ce19364fd64c8ec
Admin 1003 aad3b435b51404eeaad3b435b51404ee 29b0d58e146d70278c29dc70f74f1e5d
```

Now we can try to crack Jimmie's password hash `0d757ad173d2fc249ce19364fd64c8ec` using hascat with mode 1000 (for NTLM Hashes).

```
hashact -m 1000 "0d757ad173d2fc249ce19364fd64c8ec" --wordlist ./rockyou.txt
```

```
Dictionary cache built:
* Filename..: ./rockyou.txt
* Passwords.: 14344391
* Bytes.....: 139921497
* Keyspace..: 14344384
* Runtime...: 1 sec

0d757ad173d2fc249ce19364fd64c8ec:qwertyuiop

Session..........: hashcat
Status...........: Cracked
Hash.Mode........: 1000 (NTLM)
Hash.Target......: 0d757ad173d2fc249ce19364fd64c8ec
Time.Started.....: Mon Oct 18 18:07:56 2021 (1 sec)
Time.Estimated...: Mon Oct 18 18:07:57 2021 (0 secs)
Kernel.Feature...: Pure Kernel
Guess.Base.......: File (./rockyou.txt)
Guess.Queue......: 1/1 (100.00%)
Speed.#1.........: 85991.9 kH/s (3.44ms) @ Accel:2048 Loops:1 Thr:32 Vec:1
Recovered........: 1/1 (100.00%) Digests
Progress.........: 5373952/14344384 (37.46%)
Rejected.........: 0/5373952 (0.00%)
Restore.Point....: 0/14344384 (0.00%)
Restore.Sub.#1...: Salt:0 Amplifier:0-1 Iteration:0-1
Candidate.Engine.: Device Generator
Candidates.#1....: 123456 -> morrisonREP!
Hardware.Mon.#1..: Temp: 58c Fan: 0% Util: 30% Core: 515MHz Mem:1942MHz Bus:16

Started: Mon Oct 18 18:07:49 2021
Stopped: Mon Oct 18 18:07:58 2021
```

We can see here that it cracked the has as `0d757ad173d2fc249ce19364fd64c8ec:qwertyuiop` so the flag is;

## flag{qwertyuiop}

Original writeup (https://github.com/CTSecUK/DEADFACE_CTF_2021/blob/main/Write-ups/Exploitation/Not%20So%20Complicated%20(10%20Points).md).

Comments