Bad memory

Bad memory #

Challenge:
A user came to us and said they forgot their password. Can you recover it? The flag is the MD5 hash of the recovered password wrapped in the proper flag format.

  • Download the file and extract it and you get image.bin

    shanna@ubuntu:~/volatility3$ python3 vol.py -f ../Downloads/image.bin windows.info
    Volatility 3 Framework 2.5.2
    Progress:  100.00		PDB scanning finished                                                                                              
    Variable	Value
    
    Kernel Base	0xf8047e200000
    DTB	0x1aa000
    Symbols	file:///home/shanna/volatility3/volatility3/symbols/windows/ntkrnlmp.pdb/81BC5C377C525081645F9958F209C527-1.json.xz
    Is64Bit	True
    IsPAE	False
    layer_name	0 WindowsIntel32e
    memory_layer	1 FileLayer
    KdVersionBlock	0xf8047ee0f2a8
    Major/Minor	15.19041
    MachineType	34404
    KeNumberProcessors	1
    SystemTime	2020-10-03 11:45:39
    NtSystemRoot	C:\Windows
    NtProductType	NtProductWinNt
    NtMajorVersion	10
    NtMinorVersion	0
    PE MajorOperatingSystemVersion	10
    PE MinorOperatingSystemVersion	0
    PE Machine	34404
    PE TimeDateStamp	Sun Aug 11 05:47:24 2069
    
    shanna@ubuntu:~/volatility3$ python3 vol.py -f ../Downloads/image.bin windows.hashdump.Hashdump
    Volatility 3 Framework 2.5.2
    Progress:  100.00		PDB scanning finished                        
    User	rid	lmhash	nthash
    
    Administrator	500	aad3b435b51404eeaad3b435b51404ee	31d6cfe0d16ae931b73c59d7e0c089c0
    Guest	501	aad3b435b51404eeaad3b435b51404ee	31d6cfe0d16ae931b73c59d7e0c089c0
    DefaultAccount	503	aad3b435b51404eeaad3b435b51404ee	31d6cfe0d16ae931b73c59d7e0c089c0
    WDAGUtilityAccount	504	aad3b435b51404eeaad3b435b51404ee	4cff1380be22a7b2e12d22ac19e2cdc0
    congo	1001	aad3b435b51404eeaad3b435b51404ee	ab395607d3779239b83eed9906b4fb92
    

So now I needed to switch to my Windows host to run HashCat on the GPU.

.\hashcat.exe -m 1000 ab395607d3779239b83eed9906b4fb92 .\rockyou.txt

Dictionary cache built:
* Filename..: .\rockyou.txt
* Passwords.: 14344391
* Bytes.....: 139921497
* Keyspace..: 14344384
* Runtime...: 1 sec

ab395607d3779239b83eed9906b4fb92:goldfish#

Session..........: hashcat
Status...........: Cracked
Hash.Mode........: 1000 (NTLM)
Hash.Target......: ab395607d3779239b83eed9906b4fb92
Time.Started.....: Mon Oct 30 18:50:01 2023 (0 secs)
Time.Estimated...: Mon Oct 30 18:50:01 2023 (0 secs)
Kernel.Feature...: Pure Kernel
Guess.Base.......: File (.\rockyou.txt)
Guess.Queue......: 1/1 (100.00%)
Speed.#1.........: 26220.5 kH/s (3.06ms) @ Accel:2048 Loops:1 Thr:32 Vec:1
Recovered........: 1/1 (100.00%) Digests (total), 1/1 (100.00%) Digests (new)
Progress.........: 9175040/14344384 (63.96%)
Rejected.........: 0/9175040 (0.00%)
Restore.Point....: 7340032/14344384 (51.17%)
Restore.Sub.#1...: Salt:0 Amplifier:0-1 Iteration:0-1
Candidate.Engine.: Device Generator
Candidates.#1....: ina&alessandro -> chautla
Hardware.Mon.#1..: Temp: 55c Fan:  0% Util: 24% Core:1807MHz Mem:7300MHz Bus:8

Back to Linux to create the MD5 of the recovered password to submit the flag. shell echo -n 'goldfish#' | md5sum