Bad memory #

Challenge:
A user came to us and said they forgot their password. Can you recover it? The flag is the MD5 hash of the recovered password wrapped in the proper flag format.

• Download the file and extract it and you get image.bin

  shanna@ubuntu:~/volatility3$ python3 vol.py -f ../Downloads/image.bin windows.info
  Volatility 3 Framework 2.5.2
  Progress:  100.00		PDB scanning finished                                                                                              
  Variable	Value
  
  Kernel Base	0xf8047e200000
  DTB	0x1aa000
  Symbols	file:///home/shanna/volatility3/volatility3/symbols/windows/ntkrnlmp.pdb/81BC5C377C525081645F9958F209C527-1.json.xz
  Is64Bit	True
  IsPAE	False
  layer_name	0 WindowsIntel32e
  memory_layer	1 FileLayer
  KdVersionBlock	0xf8047ee0f2a8
  Major/Minor	15.19041
  MachineType	34404
  KeNumberProcessors	1
  SystemTime	2020-10-03 11:45:39
  NtSystemRoot	C:\Windows
  NtProductType	NtProductWinNt
  NtMajorVersion	10
  NtMinorVersion	0
  PE MajorOperatingSystemVersion	10
  PE MinorOperatingSystemVersion	0
  PE Machine	34404
  PE TimeDateStamp	Sun Aug 11 05:47:24 2069
  
  shanna@ubuntu:~/volatility3$ python3 vol.py -f ../Downloads/image.bin windows.hashdump.Hashdump
  Volatility 3 Framework 2.5.2
  Progress:  100.00		PDB scanning finished                        
  User	rid	lmhash	nthash
  
  Administrator	500	aad3b435b51404eeaad3b435b51404ee	31d6cfe0d16ae931b73c59d7e0c089c0
  Guest	501	aad3b435b51404eeaad3b435b51404ee	31d6cfe0d16ae931b73c59d7e0c089c0
  DefaultAccount	503	aad3b435b51404eeaad3b435b51404ee	31d6cfe0d16ae931b73c59d7e0c089c0
  WDAGUtilityAccount	504	aad3b435b51404eeaad3b435b51404ee	4cff1380be22a7b2e12d22ac19e2cdc0
  congo	1001	aad3b435b51404eeaad3b435b51404ee	ab395607d3779239b83eed9906b4fb92
  

So now I needed to switch to my Windows host to run HashCat on the GPU.

.\hashcat.exe -m 1000 ab395607d3779239b83eed9906b4fb92 .\rockyou.txt

Dictionary cache built:
* Filename..: .\rockyou.txt
* Passwords.: 14344391
* Bytes.....: 139921497
* Keyspace..: 14344384
* Runtime...: 1 sec

ab395607d3779239b83eed9906b4fb92:goldfish#

Session..........: hashcat
Status...........: Cracked
Hash.Mode........: 1000 (NTLM)
Hash.Target......: ab395607d3779239b83eed9906b4fb92
Time.Started.....: Mon Oct 30 18:50:01 2023 (0 secs)
Time.Estimated...: Mon Oct 30 18:50:01 2023 (0 secs)
Kernel.Feature...: Pure Kernel
Guess.Base.......: File (.\rockyou.txt)
Guess.Queue......: 1/1 (100.00%)
Speed.#1.........: 26220.5 kH/s (3.06ms) @ Accel:2048 Loops:1 Thr:32 Vec:1
Recovered........: 1/1 (100.00%) Digests (total), 1/1 (100.00%) Digests (new)
Progress.........: 9175040/14344384 (63.96%)
Rejected.........: 0/9175040 (0.00%)
Restore.Point....: 7340032/14344384 (51.17%)
Restore.Sub.#1...: Salt:0 Amplifier:0-1 Iteration:0-1
Candidate.Engine.: Device Generator
Candidates.#1....: ina&alessandro -> chautla
Hardware.Mon.#1..: Temp: 55c Fan:  0% Util: 24% Core:1807MHz Mem:7300MHz Bus:8

Back to Linux to create the MD5 of the recovered password to submit the flag. shell echo -n 'goldfish#' | md5sum