Challenge Description
My sister’s computer crashed. We were very fortunate to recover this memory dump. Your job is get all her important files from the system. From what we remember, we suddenly saw a black window pop up with some thing being executed. When the crash happened, she was trying to draw something. Thats all we remember from the time of crash.
Solution
Stage 1: Console Output
First get the image info:
Scan the console outputs:
As you can see there is an encoded text, when you decode the text it gives us the first flag:
Stage 2: MSPaint Memory
For the second stage I extracted memory page of mspaint.exe process:
Then I opened the extracted file with GIMP and it gives me the second flag: flag{G00d_Boy_good_girL}
Stage 3: The RAR Archive
For the last stage, I started to investigate what the user did in Winrar. And it seems that the user opened a file called Important.rar:
I use filescan command to find Important.rar then I dumped it with dumpfiles command:
When I tried to unrar the rar file I found that the file was password protected but a hint was left:
I used hashdump command for getting Alissa Simpson’s NTLM hash and used it as the password:
And this is the last flag of Lab 1:
Key Takeaways
- “Black window” = cmd.exe - always check console outputs
- MSPaint stores pixel data in memory that can be extracted and viewed with image editors
- NTLM hashes from hashdump can serve as passwords for encrypted archives