We are provided with a Windows 7 memory dump. Let’s begin our initial analysis.
Initial Analysis
Let’s check what all processes are running.
$ volatility -f MemoryDump_Lab2.raw --profile=Win7SP1x64 pslist
As we can see chrome
, keepass
are active running processes, lets check what’s there in them.
Flag 1
Let us check the environmental variables. We can check it using envars
plugin.
$ volatility --plugin=/home/g4rud4/Downloads/Tools/volatility-plugins -f MemoryDump_Lab2.raw --profile=Win7SP1x64 envars
As we can see that there is a base64 string, we can decode it. After decoding it we got the first flag: flag{w3lc0m3_T0_$T4g3_!_Of_L4B_2}
Flag 2
As Keepass is running, let us see whats there in it.
Keepass is used to store the passwords in a kdbx password database. So lets find the kdbx file.
$ volatility --plugin=/home/g4rud4/Downloads/Tools/volatility-plugins -f MemoryDump_Lab2.raw --profile=Win7SP1x64 filescan | grep kdbx
We found the kdbx file, so we can dump it.
$ volatility --plugin=/home/g4rud4/Downloads/Tools/volatility-plugins -f MemoryDump_Lab2.raw --profile=Win7SP1x64 dumpfiles -Q 0x000000003fb112a0 -D .
As Keepass is used for storing password and it should not be revealed easy so it will be protected with a Master password. So in this case also we are asked for Master password. So I thought of searching for all files if there is anything we can find something related to password.
$ volatility --plugin=/home/g4rud4/Downloads/Tools/volatility-plugins -f MemoryDump_Lab2.raw --profile=Win7SP1x64 dumpfiles -Q 0x000000003fce1c70 -D .
As we can see the password in the bottom, after using it and opening the Keepass file, I didn’t find anything useful. By checking the Recycle Bin one can see the username: Flag. So after checking the record, we can find the flag stored as password.
Flag: flag{w0w_th1s_1s_Th3_SeC0nD_ST4g3_!!}
Flag 3
As chrome is running, let’s see the history of chrome.
$ volatility --plugin=/home/g4rud4/Downloads/Tools/volatility-plugins -f MemoryDump_Lab2.raw --profile=Win7SP1x64 chromehistory
As we can see that there is a mega link. After opening the mega link, we got zip file.
However, the archive is password protected. Also, brute-forcing for the password is not at all intended. So let us use unzip
and check what we get.
We can see a comment, “Password is SHA1(stage-3-FLAG) from Lab-1. Password is in lowercase“.
As we have solved Stage 3 of Lab - 1. After using it, we got the the 3rd flag.
That’s how you finish this MemLabs, Lab – 2.
If you like my solution, please do share it. I’m availabe on Twitter: @NihithNihi