Memlabs Lab - 2 Writeup

We are provided with a Windows 7 memory dump. Let’s begin our initial analysis.

Initial Analysis

Let’s check what all processes are running.

$ volatility -f MemoryDump_Lab2.raw --profile=Win7SP1x64 pslist

pslist output
pslist output

As we can see chrome, keepass are active running processes, lets check what’s there in them.

Flag 1

Let us check the environmental variables. We can check it using envars plugin.

$ volatility --plugin=/home/g4rud4/Downloads/Tools/volatility-plugins -f MemoryDump_Lab2.raw --profile=Win7SP1x64 envars

envars output

As we can see that there is a base64 string, we can decode it. After decoding it we got the first flag: flag{w3lc0m3_T0_$T4g3_!_Of_L4B_2}

Flag 2

As Keepass is running, let us see whats there in it.

Keepass is used to store the passwords in a kdbx password database. So lets find the kdbx file.

$ volatility --plugin=/home/g4rud4/Downloads/Tools/volatility-plugins -f MemoryDump_Lab2.raw --profile=Win7SP1x64 filescan | grep kdbx

filescan output

We found the kdbx file, so we can dump it.

$ volatility --plugin=/home/g4rud4/Downloads/Tools/volatility-plugins -f MemoryDump_Lab2.raw --profile=Win7SP1x64 dumpfiles -Q 0x000000003fb112a0 -D .

dump kdbx

As Keepass is used for storing password and it should not be revealed easy so it will be protected with a Master password. So in this case also we are asked for Master password. So I thought of searching for all files if there is anything we can find something related to password.

$ volatility --plugin=/home/g4rud4/Downloads/Tools/volatility-plugins -f MemoryDump_Lab2.raw --profile=Win7SP1x64 dumpfiles -Q 0x000000003fce1c70 -D .

dump password

As we can see the password in the bottom, after using it and opening the Keepass file, I didn’t find anything useful. By checking the Recycle Bin one can see the username: Flag. So after checking the record, we can find the flag stored as password.

Password

Flag: flag{w0w_th1s_1s_Th3_SeC0nD_ST4g3_!!}

Flag 3

As chrome is running, let’s see the history of chrome.

$ volatility --plugin=/home/g4rud4/Downloads/Tools/volatility-plugins -f MemoryDump_Lab2.raw --profile=Win7SP1x64 chromehistory

chrome history

As we can see that there is a mega link. After opening the mega link, we got zip file.
However, the archive is password protected. Also, brute-forcing for the password is not at all intended. So let us use unzip and check what we get.

unzip output

We can see a comment, “Password is SHA1(stage-3-FLAG) from Lab-1. Password is in lowercase“.
As we have solved Stage 3 of Lab - 1. After using it, we got the the 3rd flag.

Flag 3

That’s how you finish this MemLabs, Lab – 2.

If you like my solution, please do share it. I’m availabe on Twitter: @NihithNihi