Magnet Weekly CTF — Week 9

Part 1

Question: The user had a conversation with themselves about changing their password. What was the password they were contemplating changing too.

grep -A 10 "change my password "

Part 2

Question: What is the md5 hash of the file which you recovered the password from?

volatility -f memdump.mem imageinfo
> Win7SP1x64
volatility -f memory.dmp --profile Win7SP1x64 filescan > files.out
volatility -f memdump.mem --profile Win7SP1x64 dumpfiles --dump-dir dumpsgrep wow_this dumps/*Binary file file.3180.0xfffffa803316f710.AutoRecovery save of Document1.asd.dat matchesmd5sum 'file.3180.0xfffffa803316f710.AutoRecovery save of Document1.asd.dat'

Part 3

Question: What is the birth object ID for the file which contained the password?

vol -f memdump.mem --profile Win7SP1x64 mftparser --output-file mft.out

Part 4

Question: What is the name of the user and their unique identifier which you can attribute the creation of the file document to? Format: #### (Name)

vol -f memdump.mem --profile Win7SP1x64 getsids

Part 5

Question: What is the version of software used to create the file containing the password? Format ##

Part 6

Question: What is the virtual memory address offset where the password string is located in the memory image? Format: 0x########

vol -f memdump.mem --profile Win7SP1x64 pslist
volatility -f memdump.mem --profile Win7SP1x64 vaddump --dump-dir vads -p 3180
grep --byte-offset -bao wow_this *
WINWORD.EXE.13f77bb00.0x0000000002180000-0x00000000021fffff.dmp

Part 7

Question: What is the physical memory address offset where the password string is located in the memory image? Format: 0x#######

grep --byte-offset -bao wow_this memdump.mem

Thoughts

This was a nice set of questions with an easy start but some ramp-up at the end which built on the previous questions. I was not as familiar with VADs and virtual/physical address spaces, so I did learn a few things. Although I’m not really sure how I would use this in a practical sense, so I’d love to see more more applications of this information, obviously it’s in volatility for a reason, but I’ve yet to come across it in a case.

--

--

Get the Medium app

A button that says 'Download on the App Store', and if clicked it will lead you to the iOS App store
A button that says 'Get it on, Google Play', and if clicked it will lead you to the Google Play store