volatility CTF

Working on Sift workstation using VMware

Challenge 1

Downloaded zip file , which after extraction , it was in raw format

Using volatility 2

First using image info to get the details of file

vol.py -f ‘/path/Challenge.raw’ imageinfo

Output

Now i am using Win7SP1x86 profile

Now will check the list of process running using pslist

vol.py -f ‘/home/sansforensics/Desktop/memlabs/lab0/Challenge.raw’ — profile=Win7SP1x86 pslist

Multiple process are running , but i have some doubt on dump.exe

Now I will check process tree so that i can check the parent child relationship

vol.py -f ‘/home/sansforensics/Desktop/memlabs/lab0/Challenge.raw’ — profile=Win7SP1x86 pstree

We can see that explorer.exe is parent process of both cmd & DumpIT.exe

So checking cmd.exe what command is executed through terminal using cmdscan plugin

We can see demon.py.txt is getting executed through cmd . So lets check the o/p using consoles plugin

vol.py -f ‘/home/sansforensics/Desktop/memlabs/lab0/Challenge.raw’ — profile=Win7SP1x86 consoles

now we can see, some hex values, so now will use cyberchef, getting some random values

3]6o]`1vv1p

To get the environment variables of a process you can use the envars plugin

As per hints, using envars plugin

As per hints we can see that Thanos & xor and password

Now will try to use this hint & complete above task using cyberchef

So I am taking hashdump to look for some password

we found one user

Trying to break ntlm hashvalue not able to find. Checked with creator & issue was there in the hash.

So completing this challenge here.