In this challenge we are given a Memory dump. I checked the memory dump profile with volatility. I got the flag parts in different order, but in this writeup I will do it in chronological order.
I used WinXPSP2x86 profile, then checked the process
tree to find any useful processes.
I noted 2 interesting processes, wordpad.exe and
notepad.exe. Since the objective is to find some base64
strings its worth checking these processes and also clipboard.
Hmm, Nothing in clipboard and notepad seems not useful either. So
Lets jump into wordpad.exe.
PID of the wordpad process is 1632, I run
vol.py -f memories --profile=WinXPSP2x86 memdump --pid=1632 -D .
to dump all data related to wordpad.exe.
Then I run strings on the process dump, I saw a meaningful word while checking strings, so filtered it out with grep and got one base64 string.
flag part 1 :
VUFDVEZ7aDAwMjR5Xw== --> UACTF{h0024y_
Ok, First part done , what about the rest. Well, I checked cmd
history with cmdscan, process arguements with cmdline etc, None had
useful data. Then I thought of dumping Active Directory with
lsadump module.
Umm, The DefaultPassword looks like a base64 string. Well it is part of the flag.
flag part 2 : eTB1XzVjMDIz --> y0u_5c023
Still flag is incomplete, where else to check !?. We have seen
PINBALL.EXE and winmine.exe in pslist. It
seems the user was playing games. There is a screenshot
module in volatility to capture desktop session. Lets try that and see
what active windows are there.
Out of those pictures, the highlighted file had the current Desktop screenshot.
Wow, there is a base64 string.
flag part 3 : ZF81MG0zX1hQfQ --> d_50m3_XP}
Joining all parts we get
flag : UACTF{h0024y_y0u_5c023d_50m3_XP}
This is a USB pcap challenge, we need to decode keystrokes from USB HID packet capture. Its quiet painful :). Well anyway first step is to extract USB HID data.
With
tshark -r keylogger.pcapng -Y 'usbhid.data' -T fields -e usbhid.data > keystrokes.txt
I have extracted USB HID data. Next step is to map characters. I
obtained a usbkeyboard mapping scripting from this post.
This still doesnβt make much sense, Thanks to my boi JoPraveen, he made the result much more readable and manually obtained keystrokes.
strings = "spaeiomYmgLeftArrowLeftArrowLeftArrowLeftArrowLeftArrowcLeftArrow.RightArrowRightArrowRightArrow/5RightArrowRightArrowLeftArrow4BRightArrowRightArrowmLeftArrowLeftArrowLeftArrowLeftArrowLeftArrowLeftArrowLeftArrowLeftArrowLeftArrowLeftArrowLeftArrowLeftArrownLeftArrowLeftArrowLeftArrowtRightArrowbLeftArrowLeftArrowLeftArrowLeftArrowLeftArrowLeftArrowhttRightArrowRightArrowRightArrowRightArrowRightArrowRightArrowRightArrowRightArrowRightArrowRightArrowRightArrowRightArrowRightArrowRightArrowRightArrowRightArrowRightArrowRightArrowALeftArrowLeftArrowLeftArrowLeftArrowLeftArrowLeftArrowLeftArrowLeftArrowLeftArrowLeftArrowLeftArrowLeftArrowLeftArrowLeftArrowLeftArrowLeftArrowsLeftArrowLeftArrowLeftArrowLeftArrowpRightArrow/RightArrowRightArrowLeftArrowLeftArrowLeftArrow:/EnterUnmLeftArrowLeftArrowLeftArrowdLeftArrowgRightArrowyLeftArrowLeftArrowLeftArrowTfPLeftArrowLeftArrowLeftArrowqEnter"
left = strings.replace('LeftArrow',' π ')
right = left.replace('RightArrow',' π ')
print(right)
# link: https://pastebin.com/5Y4BmAgm
# password: qTfPgdyUnm
'''
spaeiomYmg π π π π π c π . π π π /5 π π π 4B π π m π π π π π π π π π π π π n π π π t π b π π π π π π htt π π π π π π π π π π π π π π π π π π A π π π π π π π π π π π π π π π π s π π π π p π / π π π π π :/EnterUnm π π π d π g π y π π π TfP π π π qEnter
'''Finally we got a pastebin link
https://pastebin.com/5Y4BmAgm and it required password
qTfPgdyUnm.
flag : UACTF{234d_'3m_4nd_w33p}
This challenge gave me headache lol. It wasnβt a hard challenge, but figuring it out was crazy. Anyway we are given with Chrome Login Data which is the saved passwords. They are encrypted with DPAPI. We need mimikatz to extract password.
We have 3 files,
Local State --> Contains Profile Info,
Login Data --> Contains Saved Passwords and
sekurlsa_dpapi.txt --> Contains DPAPI Masterkey.
I followed this post but couldnβt successfully extract the password. On the process I figured it out the 2nd masterkey is the correct one. Anyway still couldnβt recover password.
We havenβt used the Local State file yet. I donβt know
whats the use of it either, because all the blogs I checked so far
didnβt used this file. Anyway I checked the documentation of mimikatz
dpapi::chrome module.
Lol, there is a state arguement. This is why it is
highly recommended to read Docs LOL.
flag : UACTF{th1s_1s_why_y0u_use_a_passw0rd_manager}