I have solved this challenge after the CTF.

Initial Analysis

We are given with a windows 7 memory dump, lets start out initial analysis and check what all processes are running.

$ volatility --plugins=../../Tools/volatility-plugins -f Based.raw --profile=Win7SP1x64 pslist

Process list

We can see that Google Chrome and Command Prompt are active running process. So let us dig more into them and check whats there in them.

Further Analysis

As we know each and every command we entered in command prompt are stored in conhost.exe and we can retrive those commands from volatility’s consoles plugin.

$ volatility --plugins=../../Tools/volatility-plugins -f Based.raw --profile=Win7SP1x64 consoles

consoles

We can see “I cant paste the binary in recyle bin“ which gives us an information that we have to proceed to pastebin for the next step. But we need a random 8 letter character.

On going through some plugins, used mimikatz to get the user password. And found something similar to that random 8 letter character for pastebin.

$ volatility --plugins=../../Tools/volatility-plugins -f Based.raw --profile=Win7SP1x64 mimikatz

mimikatz

So on proceeding to this pastebin link(https://pastebin.com/dVi29Tv8) and we can see a lot of strings of length 37. So it much be some kind of wordlist or something.

Let us check whats there in chrome history.

$ volatility --plugins=../../Tools/volatility-plugins -f Based.raw --profile=Win7SP1x64 chromehistory

chrome history

We can see that there is drive link(https://drive.google.com/file/d/1jYpvi9Va8be022G1SL4xUpEmZoknveTd/view) is present and after opening it we found an keepass database.

For opening these keepass database we need a Master Password or Key file. But we can’t find one in the given memory, so as we know we can crack Keepass passwords with John the ripper and get the password if we have the correct wordlist.

Using the strings found in the pastebin as a wordlist we got the password.

John load hash

John Crack

As I have already loaded the hash and its showed its already cracked. And we can see the cracked hashes also and we got the password as this guz6AP41eXNZN6alCTZQsytzYsDSWrUV45lp and after opening the keepass with that password we can see so many passwords already there in the database. From the username we can see that Pastebin/KEY. And the passwords are also something similar to 8 letter random characters needed for pastebin.

Keypass

After going through them and we can see a long base64 string in all the pastebins and decoding those base64 strings and there are a lot of fake flag and in that one them is flag.

Flag

flag