Professional Documents
Culture Documents
MEGO Writeup
MEGO Writeup
Mego is hiding something on his desktop and he always kept the secrets on the cloud
Link:https://hubchallenges.s3.eu-west-1.amazonaws.com/Forensics/memdump123456789.mem.tar.gz
First, I tried to check the strings inside the mem dump file , and filtering the output to match only the word "flag" using
the command:
C:\Users\admin\Downloads\flag.txt.zip
So, we’ll need a tool to dump info from our file. (Volatility Tool)
https://www.youtube.com/watch?v=HKRZohqJEMM
Follow the steps to install Volatility (version 3 i.e. compatible with Python3) in Linux based systems.
Note: To run Volatility3 the commands & plugin names for Volatility3 are different that volatility2.
-----------------------------------------------
Installing Volaitity in Kali Linux:
-----------------------------------------------
https://www.volatilityfoundation.org/...
4. Open Terminal and install dependencies for volatililty using below cmd:
5. Navigate into the volatility directory and hit the below cmd to install volatility:
$ python3 vol.py
from the output we notice that the image belongs to: NTBuildLab 7601.17514.amd64fre.win7sp1_rtm.
so... windows7sp1
- Now, we know which profile to use: (win7sp1) and we know which file to scan for (the "flag.txt.zip" file). So, we use it
with the command:
we choose the one that located in the path (C:\Users\admin\Downloads\flag.txt.zip) to dump it by specifying its physical
address in the command:
now we'll have a file.flag.txt.zip.dat . we rename to have a .zip file in order to open it ...
we can use any password cracking tools (fcrackzip , John the Ripper, ....)
To use john the Ripper tool, we need to have the hash of the file...
and in order to do so, we will convert our zip file into a txt file by using the command:
now, we confirm that we have a hash for the file by using the command:
# cat zip_file_name.txt
After that, it's time to crack that hash by the tool "John the Ripper" with the command:
# john zip_file_name.txt
So, based on the challenge intro (the user always keeps his secrets on the cloud), we try to check the browser history.
However, volatility3 does not support the needed plugin (iehistory) which only works on volatility2...
(I tried a lot to find a replacement of the "iehistory" plugin for volatility3, but with did not succussed...
So, we’ll use another Linux machine which has volatility2 to check the browser history)
echo "aHR0cHM6Ly9naXN0LmdpdGh1Yi5jb20vZWd5Y29uZG9yL2VlYTQyZWZkY2M4YWZmZjZlY2E3ODllZmFkMDkyNGY0"
| base64 -d
https://gist.github.com/egycondor/eea42efdcc8afff6eca789efad0924f4
I downloaded the new wordlist from that link and used it with john the ripper to crack the .txt file
when finished, we can see the cracked hash password among the result. However, to make the result (password) clearer
and after using to open the .zip file, I got the flag :)
Recoverable Signature
X
M.A.J
ICT Specialsit
Signed by: M.A.J