Access Granted!

~# cat Question

First things first. MogamBro is so dumb that he might be using the same set of passwords everywhere, so lets try cracking his PC's password for some luck.
FILES: artifacts.ad1, memdump.mem, trace.pcap

I started with searching the memory dump first. Since we are looking for a password, we can use the windows.hashdump plugin in Vol3 to extract the NTLM hashes and crack MogamBro's password hash.

┌──(tev㉿kali)-[~/AccessGranted]
└─$ python3 vo.py -f ~/Downloads/memdump-001.mem windows.hashdump
Volatility 3 Framework 2.5.2
Progress 100.00                   PDB scanning finished
User     rid    lmhash   nthash

Administrator   500     aad3b435b51404eeaad3b435b51404ee        8a320467c7c22e321c3173e757194bb3
Guest   502     aad3b435b51404eeaad3b435b51404ee        31d6cfe0d16ae931b73c59d7e0c089c0
DefaultAccount  503     aad3b435b51404eeaad3b435b51404ee        31d6cfe0d16ae931b73c59d7e0c089c0
WDAGUtilityAccount      504     aad3b435b51404eeaad3b435b51404ee        74d0db3c3f38778476a44ff9ce0aefe2
MogamBro        1000    aad3b435b51404eeaad3b435b51404ee        8a320467c7c22e321c3173e757194bb3

Taking a look at MogamBro, we can put the hash inside a password hash cracker to retrieve the flag.

Flag: BITSCTF{adlofhitlerrulesallthepeople}

PreviousIntro to DFIR NextLadyLove

Last updated 7 months ago