We are provided with a Windows 7 memory dump. Let’s begin our initial analysis.

## Initial Analysis

Let’s check what all processes are running.

As we can see that there is a base64 string, we can decode it. After decoding it we got the first flag: flag{w3lc0m3_T0_$T4g3_!_Of_L4B_2} ## Flag 2 As Keepass is running, let us see whats there in it. Keepass is used to store the passwords in a kdbx password database. So lets find the kdbx file. $ volatility --plugin=/home/g4rud4/Downloads/Tools/volatility-plugins -f MemoryDump_Lab2.raw --profile=Win7SP1x64 filescan | grep kdbx

We found the kdbx file, so we can dump it.

$volatility --plugin=/home/g4rud4/Downloads/Tools/volatility-plugins -f MemoryDump_Lab2.raw --profile=Win7SP1x64 dumpfiles -Q 0x000000003fb112a0 -D . As Keepass is used for storing password and it should not be revealed easy so it will be protected with a Master password. So in this case also we are asked for Master password. So I thought of searching for all files if there is anything we can find something related to password. $ volatility --plugin=/home/g4rud4/Downloads/Tools/volatility-plugins -f MemoryDump_Lab2.raw --profile=Win7SP1x64 dumpfiles -Q 0x000000003fce1c70 -D .

As we can see the password in the bottom, after using it and opening the Keepass file, I didn’t find anything useful. By checking the Recycle Bin one can see the username: Flag. So after checking the record, we can find the flag stored as password.

Flag: flag{w0w_th1s_1s_Th3_SeC0nD_ST4g3_!!}

## Flag 3

As chrome is running, let’s see the history of chrome.

\$ volatility --plugin=/home/g4rud4/Downloads/Tools/volatility-plugins -f MemoryDump_Lab2.raw --profile=Win7SP1x64 chromehistory

As we can see that there is a mega link. After opening the mega link, we got zip file.
However, the archive is password protected. Also, brute-forcing for the password is not at all intended. So let us use unzip and check what we get.

We can see a comment, “Password is SHA1(stage-3-FLAG) from Lab-1. Password is in lowercase“.
As we have solved Stage 3 of Lab - 1. After using it, we got the the 3rd flag.

That’s how you finish this MemLabs, Lab – 2.

If you like my solution, please do share it. I’m availabe on Twitter: @NihithNihi