BREAKIN-Significant-Memory

Challange name : Significant-Memory

challange link : download-here

points : 150

author : b1nslashsh

Solution

Okay, let us take a look at the challenge file. It is a Windows7 memory dump.so lets start from the begging…

$volatility -f for_1.raw imageinfo

so we have a profile now ,we can use it for further move

next just look at the process running useing psscan :

$volatility -f for_1.raw imageinfo — profile=Win7SP1x64 psscan

so we can see that there are chrome,truecrypt and some others

now lets start by looking at chrome history

so for that we need a custom-plugin called cromehistory you can download and use it from here :- https://github.com/superponible/volatility-plugins

then the second link was a mega one so try to open it on browser

and it was a file called fl4g.rar

and we need password for open it!

so lets try to find that pass now..

so as know truecrypt is running there so trying to get its cached password useing “truecryptpassphrase” didn’t help

then here is the final stage :

there is a custom plugin mimitaz, which used to extract passwords has plaintext

you can download and use it from here :- https://github.com/volatilityfoundation/community/blob/master/FrancescoPicasso/mimikatz.py

and yes we got the password!!

and now trying to extract the rar and we have the flag : P

final Flag : Fl4G{W3ll_D0n3!_7h1s_i5_4b0U7_m1m1k4tz_R1Gh7?}