> For the complete documentation index, see [llms.txt](https://ctf.smithsecurity.biz/llms.txt). Markdown versions of documentation pages are available by appending `.md` to page URLs; this page is available as [Markdown](https://ctf.smithsecurity.biz/us-cyber-combine-2023/us-cyber-combine-challenge-writeups/forensics-secret-password-stash.md). # Forensics - Secret Password Stash ### Prompt: {% code overflow="wrap" %} ``` I've created the best system for storing all my top-secret information. Hackers can't steal my secrets if I store them in a virtual machine, right? Unfortunately, I accidentally deleted the virtual machine. Oops! Luckily, I saved a memory capture. Can you help me recover my lost passwords? The flag will be in format - uCTF{flag} ``` {% endcode %} *** Started off this challenge by downloading the 7z file for the challenge. After unzipping it I was able to see it was a memory dump. I started off by putting the dump into winDBG and running analyze on it and saw it was a Windows 7 x64 image. This turned out to help a lot because when I moved onto analyze the file in Volatility and ran: {% code overflow="wrap" %} ``` .\volatility_2.6_win64_standalone.exe -f "C:\Users\Grant Smith\Downloads\memory\memory.dmp" imageinfo ``` {% endcode %} I was given Windows 8 and 10 profiles, along with windows server ones, as recommended profiles. This was incorrect though and I was confused for a little trying to get the pslist but after a looking back I was able to see where I had gone wrong and got the complete process list with the Win7SP0x64 profile: {% code overflow="wrap" %} ``` .\volatility_2.6_win64_standalone.exe -f "C:\Users\Grant Smith\Downloads\memory\memory.dmp" --profile=Win7SP0x64 pslist ``` {% endcode %} Looking through the processes I could see two that stood out to me. pwsafe.exe and notepad.exe Based on the prompt for the challenge I immediately dug into pwsafe.exe and dumped it: {% code overflow="wrap" %} ``` .\volatility_2.6_win64_standalone.exe -f "C:\Users\Grant Smith\Downloads\memory\memory.dmp" --profile=Win7SP0x64 memdump --dump-dir=.\ -p 2948 ``` {% endcode %} From here I found references to the psafe3 file that would contain the password (flag) we are looking for. Great! I went ahead and dumped this file: {% code overflow="wrap" %} ``` .\volatility_2.6_win64_standalone.exe -f "C:\Users\Grant Smith\Downloads\memory\memory.dmp" --profile=Win7SP0x64 filescan | findstr psafe3 ``` {% endcode %} {% code overflow="wrap" %} ``` .\volatility_2.6_win64_standalone.exe -f "C:\Users\Grant Smith\Downloads\memory\memory.dmp" --profile=Win7SP0x64 dumpfiles -Q 0x000000003e1745d0 --dump-dir .\ ``` {% endcode %} Now that we have the file we have to decrypt it. Easy enough with hashcat mode 5200. Unfortunately this password wasn't in rockyou... Hmm. What can we do from here? Well, I went to sleep. The following day I took a quick look at this challenge again and within 10 minutes I had solved it. It was so simple I had just stepped over it. To start I dumped the notepad.exe process and ran some strings on it with grep for anything with the '/admin' in it, along with showing the 10 lines before and after the hit. After skimming through this I saw something weird. A file that was open and the text in it: ``` C:\Users\admin\Desktop\note_to_self.txt thequickbrownfoxjumpedoverthelazydog ``` Hm. Lets dump this file and make sure that's all that's in it: ``` C:\Users\Grant Smith\Desktop\volatility_2.6_win64_standalone>.\volatility_2.6_win64_standalone.exe -f "C:\Users\Grant Smith\Downloads\memory\memory.dmp" --profile=Win7SP0x64 filescan | findstr note_to_self Volatility Foundation Volatility Framework 2.6 0x000000003e054f20 2 0 RW-rw- \Device\HarddiskVolume2\Users\admin\AppData\Roaming\Microsoft\Windows\Recent\note_to_self.lnk 0x000000003fc6c180 16 0 RW-rw- \Device\HarddiskVolume2\Users\admin\Desktop\note_to_self.txt ``` {% code overflow="wrap" %} ``` .\volatility_2.6_win64_standalone.exe -f "C:\Users\Grant Smith\Downloads\memory\memory.dmp" --profile=Win7SP0x64 dumpfiles -Q 0x000000003fc6c180 --dump-dir .\ ``` {% endcode %} Now I was able to confirm the contents and I immediately added it to the beginning of a short wordlist I had and saw hashcat had recovered 1/1. Lets goooo! ``` .\hashcat64.exe -m 5200 "C:\Users\Grant Smith\Desktop\volatility_2.6_win64_standalone\file.None.0xfffffa8002c10ac0.dat" "C:\Users\Grant Smith\Desktop\tmp.txt" --force ``` With the known working password I now downloaded the 'password safe' tool and decrypted the psafe3 file and got the flag! ``` uCTF{...pa$$word} ``` --- # Agent Instructions This documentation is published with GitBook. GitBook is the documentation platform designed so that both humans and AI agents can read, navigate, and reason over technical content effectively. Learn more at gitbook.com. ## Querying This Documentation If you need additional information that is not directly available in this page, you can query the documentation dynamically by asking a question. Perform an HTTP GET request on the current page URL with the `ask` query parameter, and the optional `goal` query parameter: ``` GET https://ctf.smithsecurity.biz/us-cyber-combine-2023/us-cyber-combine-challenge-writeups/forensics-secret-password-stash.md?ask=&goal= ``` `ask` is the immediate question: it should be specific, self-contained, and written in natural language. `goal` is optional and describes the broader end goal you are ultimately trying to accomplish on behalf of the user. GitBook uses it to tailor the answer towards what is most useful for that goal. The response will contain a direct answer to the question and relevant excerpts and sources from the documentation. Use this mechanism when the answer is not explicitly present in the current page, you need clarification or additional context, or you want to retrieve related documentation sections.