Root-me.org

Command & Control - level 5

Memory Analysis

We have the same memory dump as level 2. This time we need to find John’s password. Volatility has a options for that called hashdump.

We found the profile from the dump using imageinfo.

python ./vol.py --profile=Win7SP1x86_23418 hashdump -f ~/CTF/rootme/forensic/ch2/ch2.dmp
Volatility Foundation Volatility Framework 2.6

Administrator:500:aad3b435b51404eeaad3b435b51404ee:31d6cfe0d16ae931b73c59d7e0c089c0:::
Guest:501:aad3b435b51404eeaad3b435b51404ee:31d6cfe0d16ae931b73c59d7e0c089c0:::
John Doe:1000:aad3b435b51404eeaad3b435b51404ee:b9f917853e3dbf6e6831ecce60725930:::

The hashes are in NTLM, we’ll use a online database that has already cracked a lot of passwords hashes in NTLM.

We’ll use the following website : https://hashkiller.co.uk/ntlm-decrypter.aspx

The hash is b9f917853e3dbf6e6831ecce60725930.

The website will reveal the passw0rd.