Secret 1 - HackMD

# Secret 1 ### Challenge Author [v1Ru5](https://twitter.com/SrideviKrishn16) **Challenge points (Nationals)**: 436 **No. of solves**: 40 **Challenge points (Professionals)**: 477 **No. of solves**: 6 ## Challenge Description ![](https://i.imgur.com/kz8ATbN.png) You can download the challenge from [**Mega**](https://mega.nz/file/gjIlQAzQ#Od9vio3ZZbbLNpYneW0tGvXaPmjtVYt48n93s0FB9QA) ## Writeup For answering the first question, use the **imageinfo** command. The most approprite profile for this memory dump is **Win7SP1x64**. ``` $ volatility -f memory.raw imageinfo ``` ![](https://i.imgur.com/7I1S8is.png) To find the LM hash of TroubleMaker's account, use **hashdump** command. ``` $ volatility -f memory.raw --profile=Win7SP1x64 hashdump ``` ![](https://i.imgur.com/M3PwKeV.png) So, the second part of our answer is **aad3b435b51404eeaad3b435b51404ee**. To dump a process’s executable, use **procdump** command. In this case, we are asked for the md5 hash of cmd.exe process. ``` $ volatility -f memory.raw --profile=Win7SP1x64 procdump -p 1876 -D . ``` ![](https://i.imgur.com/KBzg5OA.png) ``` $ md5sum executable.1876.exe ``` ![](https://i.imgur.com/Rdgv9vC.png) Therefore, the md5 hash of cmd.exe is **c23f73ab92ecaa4adbbdb603dd92cb63**. Concatenating the 3 answers gives us the final flag. ## Flag **inctf{Win7SP1x64_aad3b435b51404eeaad3b435b51404ee_c23f73ab92ecaa4adbbdb603dd92cb63}**