stuxnet999 MemLabs writeup [Lab - 1]

# stuxnet999 MemLabs writeup [Lab - 1] ![image](https://hackmd.io/_uploads/r1-qrTH4C.png) Ok let's download the file. First I noticed this is a raw image file ![image](https://hackmd.io/_uploads/HJyyIaS4C.png) I'll use volatility 2.6 for this image data. Let's begin with the basic syntax, imageinfo ![image](https://hackmd.io/_uploads/Hk1NU6rE0.png) Okay so we can use the profile *Win7SP1x64* to analyize this image file. Let's see what proccess do we have here with the commands: ``` ./volatility -f MemoryDump_Lab1.raw --profile=Win7SP1x64 pslist ``` ![image](https://hackmd.io/_uploads/rk6nUaSEC.png) Okay nothing special here, next step I used consoles to see if the author/user did anything before her computer crashed. ``` ./volatility -f MemoryDump_Lab1.raw --profile=Win7SP1x64 consoles ``` And I notice this: ![image](https://hackmd.io/_uploads/rJPVvprE0.png) A base64 encoded, let's decode this using this command: ``` echo "ZmxhZ3t0aDFzXzFzX3RoM18xc3Rfc3Q0ZzMhIX0= | base64 -d" ``` And we've got our first flag: ![image](https://hackmd.io/_uploads/HkY_PaHVR.png) flag1: **flag{th1s_1s_th3_1st_st4g3!!}** Ok let's get to the 2nd flag, I looked at the description once again, and I noticed this very important clue: ![image](https://hackmd.io/_uploads/HyIkdpBVR.png) Oh so she was drawing something when the crash happened, let's look at the pslist once again. ![image](https://hackmd.io/_uploads/SkN7OpSE0.png) Here we go, *mspaint.exe*, let's dump it so we can analyze it. ![image](https://hackmd.io/_uploads/HJHtd6B4C.png) Change it to data so we can open with gimp ``` gimp 2424.data ``` when I changed the resolution to 3075x1080, I noticed something looks like a text: ![image](https://hackmd.io/_uploads/r136YaB4A.png) when I changed the width to 3280, the flag appeared: ![image](https://hackmd.io/_uploads/SJo79TrVC.png) using mirror image, we've got the 2nd flag: ![image](https://hackmd.io/_uploads/BJ1n5prEC.png) flag2:***flag{Good_Boy_good_girl_}*** Let's get the final flag! At first I tried to search for some documents, and I noticed this: ![image](https://hackmd.io/_uploads/rJcBiaHEC.png) Let's dump it out using this command: ``` ./volatility -f MemoryDump_Lab1.raw --profile=Win7SP1x64 --dump-dir=extracted dumpfiles -Q 0x000000003fb48bc0 cd extracted mv file.None.0xfffffa8001034450.dat Important.rar ``` Let's open the rar file to see what do we have here: ![image](https://hackmd.io/_uploads/Bkdd2TSNA.png) Oops a flag with password protected, let's use *unrar* to see if there is any archieved comments: ``` unrar e Important.rar ``` As I expected, it does have: ![image](https://hackmd.io/_uploads/HkfxppB40.png) Let's get the password using *hashdump* plugin: ``` ./volatility -f MemoryDump_Lab1.raw --profile=Win7SP1x64 hashdump ``` ![image](https://hackmd.io/_uploads/BkwrTTHNR.png) Okay so we've got the NTLM hash, uppercase it and we got the final flag: ![image](https://hackmd.io/_uploads/Sy6Y66H4A.png) flag3:***flag{w3ll_3rd_stage_was_easy}*** Final thoughts, the Labs was so much fun and interesting, looking forward to recieving your confirmation email respond :>