Perform memory forensics to find the flags. If you are having trouble, maybe check out the volatility room first.
Enjoy!
Information
Room: Memory Forensics
Difficulty: Easy
Files : Snapshot6.vmem 1.07 GB
Snapshot19.vmem 1.07 GB
Snapshot14.vmem 1.07 GB
My Recommendations
Download it from the room, no verification hashes are provided so … trust your gut.
This is my personal preference, I like being organized and deleting a folder when I’m done with it .
mkdir Documents/TryHackMe/Memory && cd Documents/TryHackMe/Memory
Volatility for Python2 and Python3 is all you need to solve this category:
vol.py -h vol3 -h
If this doesn’t work, then install it following these instructions.
For Volatility2 you need to specify a profile. You can find it by doing:
vol.py -fSnapshot6.vmem imageinfo
Walkthrough
Task 2: Login
What is John's password?
Using Volatility3 and HashDump plugin:
vol3 -f Snapshot6.vmem windows.hashdump.Hashdump
These are the returned hashes:
Now, we can save the nthash to a file and ask john to crack it. John Jumbo Version is required to crack NT hashes, which you would need to install manually.
echo -n '47fbd6536d7868c873d5ea455f2fc0c9' > John.hash
#From your John-Jumbo Installation Dir (if installed manually)
./john --format=NT --wordlist=/usr/share/wordlists/rockyou.txt ~/Documents/TryHackMe/Memory/John.hash
John cracks it easy peasy:
Answer: charmander999
Task 3: Analysis
1. When was the machine last shutdown?
Last shutdown time is stored in the System hive, in the ‘HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\Control\Windows\ShutdownTime‘ key.
We can get this value from the memory dump. First, we need to find the offset of the SYSTEM hive:
vol3 -f Snapshot19.vmem windows.registry.hivelist.HiveList
Now, we need to print the key that has the Last Shutdown Time. I am using the –recurse option because sometimes the values are not displayed properly, so it’s best practice to print the whole thing:
vol3 -f Snapshot19.vmem windows.registry.printkey.PrintKey --offset 0xf8a000024010 --key 'ControlSet001\Control\Windows' --recurse
The ShutdownTime is displayed in hex. Timestamps in the Registry are stored as ‘ ‘Windows NT time format‘, which is nanoseconds since Jan 1, 1601 UTC. To convert it we need to first:
– convert the hex string to little-endian
– convert the little-endian hex string to an integer
– convert the Windows-formatted timestamp (the integer) to seconds by dividing by 10000000
– substract the number of seconds from Jan. 1st 1970 to Jan 1st 1601
– Convert to human-readable format
echo 'd2 e3 50 a2 a2 dc d6 01' | sed 's/ //g' | tac -rs .. | echo "$(tr -d '\n')"
#returns 01d6dca2a250e3d2
echo $((16#01d6dca2a250e3d2))
#returns 132535830120031186
date -d @$(((132535830120031186/10000000)-11644473600))
#returns Sun 27 Dec 2020 10:50:12 PM UTC
Answer: 2020-12-27 22:50:12
2. What did John write?
We have two options, use volatility 3 and dump the process memory OR use the cmdscan plugin in volatility2. The fastest is to use volatility2.
First, we need to figure out the correct profile:
vol.py -f Snapshot19.vmem imageinfo
Generally, the first one is the best match, which would be Win7SP1x64.
vol.py -f Snapshot19.vmem --profile=Win7SP1x64 cmdscan
Command 1 contains the flag – ‘echo THM{You_found_me} > test.txt’.
Answer: You_found_me
Task 4: TrueCrypt
1. What is the TrueCrypt passphrase?
Volatility 2 has plugins for TrueCrypt. Since the memory dumps are all from the same machine, we can use the same profile as the other tasks: Win7SP1x64.
vol.py -f Snapshot14.vmem --profile=Win7SP1x64 truecryptpassphrase
The only passphrase found is forgetmenot.
Answer: forgetmenot
TLDR
– This is a classic memory forensics CTF-style challenge.
– Both volatility3 and volatility2 are useful to solve the challenge.
