Forensics - Secret Password Stash

Prompt:

I've created the best system for storing all my top-secret information. Hackers can't steal my secrets if I store them in a virtual machine, right? Unfortunately, I accidentally deleted the virtual machine. Oops! Luckily, I saved a memory capture. Can you help me recover my lost passwords?

The flag will be in format - uCTF{flag}

Started off this challenge by downloading the 7z file for the challenge. After unzipping it I was able to see it was a memory dump.

I started off by putting the dump into winDBG and running analyze on it and saw it was a Windows 7 x64 image. This turned out to help a lot because when I moved onto analyze the file in Volatility and ran:

.\volatility_2.6_win64_standalone.exe -f "C:\Users\Grant Smith\Downloads\memory\memory.dmp" imageinfo

I was given Windows 8 and 10 profiles, along with windows server ones, as recommended profiles.

This was incorrect though and I was confused for a little trying to get the pslist but after a looking back I was able to see where I had gone wrong and got the complete process list with the Win7SP0x64 profile:

.\volatility_2.6_win64_standalone.exe -f "C:\Users\Grant Smith\Downloads\memory\memory.dmp" --profile=Win7SP0x64 pslist

Looking through the processes I could see two that stood out to me. pwsafe.exe and notepad.exe

Based on the prompt for the challenge I immediately dug into pwsafe.exe and dumped it:

.\volatility_2.6_win64_standalone.exe -f "C:\Users\Grant Smith\Downloads\memory\memory.dmp" --profile=Win7SP0x64 memdump --dump-dir=.\ -p 2948

From here I found references to the psafe3 file that would contain the password (flag) we are looking for. Great! I went ahead and dumped this file:

.\volatility_2.6_win64_standalone.exe -f "C:\Users\Grant Smith\Downloads\memory\memory.dmp" --profile=Win7SP0x64 filescan | findstr psafe3

.\volatility_2.6_win64_standalone.exe -f "C:\Users\Grant Smith\Downloads\memory\memory.dmp" --profile=Win7SP0x64 dumpfiles -Q 0x000000003e1745d0 --dump-dir .\

Now that we have the file we have to decrypt it. Easy enough with hashcat mode 5200. Unfortunately this password wasn't in rockyou...

Hmm. What can we do from here? Well, I went to sleep.

The following day I took a quick look at this challenge again and within 10 minutes I had solved it. It was so simple I had just stepped over it.

To start I dumped the notepad.exe process and ran some strings on it with grep for anything with the '/admin' in it, along with showing the 10 lines before and after the hit.

After skimming through this I saw something weird. A file that was open and the text in it:

C:\Users\admin\Desktop\note_to_self.txt
thequickbrownfoxjumpedoverthelazydog

Hm. Lets dump this file and make sure that's all that's in it:

C:\Users\Grant Smith\Desktop\volatility_2.6_win64_standalone>.\volatility_2.6_win64_standalone.exe -f "C:\Users\Grant Smith\Downloads\memory\memory.dmp" --profile=Win7SP0x64 filescan | findstr note_to_self
    Volatility Foundation Volatility Framework 2.6
    0x000000003e054f20      2      0 RW-rw- \Device\HarddiskVolume2\Users\admin\AppData\Roaming\Microsoft\Windows\Recent\note_to_self.lnk
    0x000000003fc6c180     16      0 RW-rw- \Device\HarddiskVolume2\Users\admin\Desktop\note_to_self.txt

.\volatility_2.6_win64_standalone.exe -f "C:\Users\Grant Smith\Downloads\memory\memory.dmp" --profile=Win7SP0x64 dumpfiles -Q 0x000000003fc6c180 --dump-dir .\

Now I was able to confirm the contents and I immediately added it to the beginning of a short wordlist I had and saw hashcat had recovered 1/1. Lets goooo!

.\hashcat64.exe -m 5200 "C:\Users\Grant Smith\Desktop\volatility_2.6_win64_standalone\file.None.0xfffffa8002c10ac0.dat" "C:\Users\Grant Smith\Desktop\tmp.txt" --force

With the known working password I now downloaded the 'password safe' tool and decrypted the psafe3 file and got the flag!

uCTF{...pa$$word}