Rootme Command and control level 5
Root-me.org
Command & Control - level 5
Memory Analysis
We have the same memory dump as level 2. This time we need to find John’s password. Volatility has a options for that called hashdump.
We found the profile from the dump using imageinfo.
python ./vol.py --profile=Win7SP1x86_23418 hashdump -f ~/CTF/rootme/forensic/ch2/ch2.dmp
Volatility Foundation Volatility Framework 2.6
Administrator:500:aad3b435b51404eeaad3b435b51404ee:31d6cfe0d16ae931b73c59d7e0c089c0:::
Guest:501:aad3b435b51404eeaad3b435b51404ee:31d6cfe0d16ae931b73c59d7e0c089c0:::
John Doe:1000:aad3b435b51404eeaad3b435b51404ee:b9f917853e3dbf6e6831ecce60725930:::
The hashes are in NTLM, we’ll use a online database that has already cracked a lot of passwords hashes in NTLM.
We’ll use the following website : https://hashkiller.co.uk/ntlm-decrypter.aspx
The hash is b9f917853e3dbf6e6831ecce60725930.
The website will reveal the passw0rd.