3rd Challenge Write-up
I decided to protect my passwords and keep them safe. This memory dump was taken during the migration process. Will you be able to reveal the secrets?
Challenge link :
As mentioned in the description the file is a memory dump, so we can use volatility (an advanced memory forensics framework) in order to investigate it, first of all we need to identify the operating system from where this dump was taken.
From the result it’s clear that the OS is Win7SP1x64, then the first thing that comes to mind is to dump the notepad process ( generally people save their passwords there).
As shown in the picture, we identified the notepad PID and other juicy information like the use of the KeePass as a password manager, maybe we need this info for the rest of the challenge.
Let’s dump the process :
Finally perform a strings search in the dump using “ACG” as a key, the “-e l” switch is needed because notepad stores text in 16-bit little-endian.
This is the first part it seems that there is a second part of the flag hidden somewhere.
Do you remember the KeePass process ?
The second reflex is simply search files with kdbx extensions or files named flag , and bingo we found a file flag_part2.kdbx (a keepass database to store passwords in a secure manner) protected by a master key.
Ok let’s go through more serious stuff and try to crack the password.
Now we need to extract the master password hash from the file. Thankfully, John the Ripper ships with a useful tool to do just that! The utility is called “keepass2john” and simply needs the KeePass database passed in as a parameter.
Running this utility produces the following hash :
The next step is to take this hash string (first saved into a file called “keepass.txt”) and pass it through Hashcat.
Hashcat supports typical password cracking attack types, such as dictionary and brute-force, but also includes things like masking, which is filtering down the cracking attempts to certain patterns.
Here we will use the most famous dictionary rockyou.
So our hashcat command is :
hashcat -a 0 -m 13400 keepass.txt rockyou.txt
And voila we found the password “holyw00d”
Now we can see the database content :
Final flag :