BREAKIN-Significant-Memory

Challange name : Significant-Memory
challange link : download-here
points : 150
author : b1nslashsh
Solution
Okay, let us take a look at the challenge file. It is a Windows7 memory dump.so lets start from the begging…
$volatility -f for_1.raw imageinfo

so we have a profile now ,we can use it for further move
next just look at the process running useing psscan :
$volatility -f for_1.raw imageinfo — profile=Win7SP1x64 psscan

so we can see that there are chrome,truecrypt and some others
now lets start by looking at chrome history
so for that we need a custom-plugin called cromehistory you can download and use it from here :- https://github.com/superponible/volatility-plugins

then the second link was a mega one so try to open it on browser
and it was a file called fl4g.rar

and we need password for open it!
so lets try to find that pass now..

so as know truecrypt is running there so trying to get its cached password useing “truecryptpassphrase” didn’t help
then here is the final stage :
there is a custom plugin mimitaz, which used to extract passwords has plaintext

you can download and use it from here :- https://github.com/volatilityfoundation/community/blob/master/FrancescoPicasso/mimikatz.py

and yes we got the password!!
and now trying to extract the rar and we have the flag : P
final Flag : Fl4G{W3ll_D0n3!_7h1s_i5_4b0U7_m1m1k4tz_R1Gh7?}