Bsides Delhi CTF’18 Never Too Late Mister Write-Up

Hello Everyone!

This was the second challenge I made for the Bsides Delhi CTF-2018. It is a really simple challenge which focuses on the basics of memory forensics. If you know a bit of python, volatility etc. you can solve it in a mere 15 mins. Let us get into the challenge.

Challenge Description

My friend John is an environmental activist and a humanitarian. He really hated the ideology of Thanos from the Avengers: Infinity War. He sucks at programming. He used too many variables while writing any program. One day, John gave me a memory dump and asked me to find out what he was doing while he took the dump. Can you figure it out for me?”

It is a really big description. Take your time to read it. Now let us get into the challenge file.

It is a windows memory dump. Let us analyze it using volatility.

Let me use the plugin cmdscan first.

Screenshot from 2018-10-27 14-14-21

From the above image, we can say that a python script “demon.py” was executed. Let us use consoles to see if this python script gave any output or not. Many players actually tried to dump the python script but they couldn’t because it was intentional from my side to hide the script.

Now, let us use the consoles plugin.

Screenshot from 2018-10-27 14-15-24

Looks like a hex string is the output of the python script.

The HEX string : 335d366f5d6031767631707f

Now what to do?

Now we have to read the question very clearly and get the most out of it. I used three very different words like environment, variable and Thanos. By this, let me use the plugin envars and let me see if I get something interesting.

Screenshot from 2018-10-27 14-20-41

Using the envars plugin, we see a very unusual environment variable called Thanos. Hehe. Now, what is Thanos saying? “xor and password”. Interesting!

So now let us get back to the string we found earlier.

Screenshot from 2018-10-27 14-20-06

So first I decoded the string back to ASCII, then as I saw the word XOR, I xored the string with many numbers. You have to actually brute-force this. It is quite a normal thing about decoding xor cyphers etc.

So we have this 1_4m_b3tt3r}. This is half part of the flag. Looks like what Thanos said, really helped us. He said something else, didn’t he? Yeah! He said “password“.

Now let us see if we can get out the passwords of the users.

Let us use the hashdump plugin now.

Screenshot from 2018-10-27 14-45-59

We see that a user is presently named “hello”. Let us try to crack his password hash.

Windows actually used NTLM to create password hashes. We need to use an NTLM password cracker for this.

I used this website because it is quite popular -> NTLM-Cracker

Screenshot from 2018-10-27 14-49-10

So that’s how we got the first half of the flag. Now let us concatenate the two halves we got.

FLAG ->  flag{you_are_good_but1_4m_b3tt3r}

So this how you solve this challenge.

Happy Hacking!!!

Advertisements

Leave a Reply

Fill in your details below or click an icon to log in:

WordPress.com Logo

You are commenting using your WordPress.com account. Log Out /  Change )

Google+ photo

You are commenting using your Google+ account. Log Out /  Change )

Twitter picture

You are commenting using your Twitter account. Log Out /  Change )

Facebook photo

You are commenting using your Facebook account. Log Out /  Change )

Connecting to %s

Powered by WordPress.com.

Up ↑

Create your website at WordPress.com
Get started
%d bloggers like this: