BREAKIN-Significant-Memory
Challange name : Significant-Memory
challange link : download-here
points : 150
author : b1nslashsh
Solution
Okay, let us take a look at the challenge file. It is a Windows7 memory dump.so lets start from the begging…
$volatility -f for_1.raw imageinfo
so we have a profile now ,we can use it for further move
next just look at the process running useing psscan :
$volatility -f for_1.raw imageinfo — profile=Win7SP1x64 psscan
so we can see that there are chrome,truecrypt and some others
now lets start by looking at chrome history
so for that we need a custom-plugin called cromehistory you can download and use it from here :- https://github.com/superponible/volatility-plugins
then the second link was a mega one so try to open it on browser
and it was a file called fl4g.rar
and we need password for open it!
so lets try to find that pass now..
so as know truecrypt is running there so trying to get its cached password useing “truecryptpassphrase” didn’t help
then here is the final stage :
there is a custom plugin mimitaz, which used to extract passwords has plaintext
you can download and use it from here :- https://github.com/volatilityfoundation/community/blob/master/FrancescoPicasso/mimikatz.py
and yes we got the password!!
and now trying to extract the rar and we have the flag : P
final Flag : Fl4G{W3ll_D0n3!_7h1s_i5_4b0U7_m1m1k4tz_R1Gh7?}