English [HackingWeek 2015] [Forensic 3] Write Up

Introduction

The supplied memory image was captured on a compromised machine, analyze it to answer questions (this is the same image for the four forensic tests, useless to download several times).

Find the password for the admin user that is located somewhere in memory.

dump.gz (md5sum:1273931ce359f59bce95ce4507e1f4bf)

Resolution

We already know the memory image is a Windows 7 SP1 32 bits, so we use the hashdump command.

 $ python vol.py -f dump --profile=Win7SP1x86 hashdump

Volatility Foundation Volatility Framework 2.4
Administrateur:500:aad3b435b51404eeaad3b435b51404ee:435228fd2314409c6d603308004328c3:::
Traceback (most recent call last):
File "vol.py", line 192, in
main()
File "vol.py", line 183, in main
command.execute()
File "/usr/lib/python2.7/dist-packages/volatility/commands.py", line 127, in execute
func(outfd, data)
File "/usr/lib/python2.7/dist-packages/volatility/plugins/registry/lsadump.py", line 114, in render_text
for d in data:
File "/usr/lib/python2.7/dist-packages/volatility/win32/hashdump.py", line 328, in dump_hashes
lmhash.encode('hex'), nthash.encode('hex'))
UnicodeEncodeError: 'ascii' codec can't encode character u'\xe9' in position 5: ordinal not in range(128)

We loaded it in ophcrack with some rainbow tables but it was soooooo long.
So in the meantime I decided to try Forensic 4 and I found something interesting while playing with the strings of the dump file.

$ strings dump

.#####.   mimikatz 2.0 alpha (x86) release "Kiwi en C" (Jan 22 2015 22:15:55)
'## v ##'   http://blog.gentilkiwi.com/mimikatz             (oe.eo)
mimikatz(commandline) # sekurlsa::logonPaswords full
mimikatz(commandline) # exit

mimikatz is a “little tool to play with Windows security” as his author describe it.
It’s mainly used in post-exploitation and as we can see, there’s a command line opened with “sekurlsa::logonPaswords full“.
As the documentation said, the first line of result will be a “Authentication Id”, so I searched for it.
There was 2 users: Adm1nistrateur and adm1n, I tried with both passwords but I will only show the interesting one:

Authentication Id : 0 ; 569739 (00000000:0008b18b)
Session           : Interactive from 2
User Name         : adm1n
D ma n            : UNDERGR0UND
SID               : S-1-5-21-1360291914-2567885547-899983604-1103
msv :
[00000003] Primary
* U er ame : adm1n
* D ma n   : UNDERGR0UND
* LM       : d3fd3f4266ceecbaf7e62f36f8db5ae6
* NTLM     : 9023c15e510eac78060b5fd7ca69baca
* SHA1     : c3e849f0ffcabdddfbe135ffa9b035ad758df9d8
tspkg :
* U er ame : adm1n
* D ma n   : UNDERGR0UND
* P ss ord : cV[5g@2I
wdigest :
* U er ame : adm1n
wdigest :
* U er ame : adm1n
* D ma n   : UNDERGR0UND
* P ss ord : cV[5g@2I
kerberos :
* U er ame : adm1n
* D ma n   : UNDERGR0UND.FR
* P ss ord : cV[5g@2I
ssp :
credman :

Flag is “cV[5g@2I“.

Leave a Reply

Your email address will not be published. Required fields are marked *