Memory Forensics-TryHackMe

Perform memory forensics to find the flags

Memory Forensics — TryHackMe

This is a quick write-up for TryHackMe room named Memory Forensics. You can find this room here:- https://tryhackme.com/room/memoryforensics

Get Volatility from here: https://github.com/volatilityfoundation/volatility/

[Task 2] Login

What is John’s password?

Download the memory dump for this task and first of all get the “ImageInfo”:

$ python /opt/tools/volatility/vol.py -f Snapshot6.vmem imageinfo
Volatility Foundation Volatility Framework 2.6.1
INFO    : volatility.debug    : Determining profile based on KDBG search...
          Suggested Profile(s) : Win7SP1x64, Win7SP0x64, Win2008R2SP0x64, Win2008R2SP1x64_24000, Win2008R2SP1x64_23418, Win2008R2SP1x64, Win7SP1x64_24000, Win7SP1x64_23418
                     AS Layer1 : WindowsAMD64PagedMemory (Kernel AS)
                     AS Layer2 : FileAddressSpace (/tmp/Snapshot6.vmem)
                      PAE type : No PAE
                           DTB : 0x187000L
                          KDBG : 0xf80002c4a0a0L
          Number of Processors : 1
     Image Type (Service Pack) : 1
                KPCR for CPU 0 : 0xfffff80002c4bd00L
             KUSER_SHARED_DATA : 0xfffff78000000000L
           Image date and time : 2020-12-27 06:20:05 UTC+0000
     Image local date and time : 2020-12-26 22:20:05 -0800

Now lets dump the hashed for “Win7SP1x64” using the module “hashdump”

$ python /opt/tools/volatility/vol.py -f Snapshot6.vmem --profile=Win7SP1x64 hashdump
Administrator:500:aad3b435b51404eeaad3b435b51404ee:31d6cfe0d16ae931b73c59d7e0c089c0:::
Guest:501:aad3b435b51404eeaad3b435b51404ee:31d6cfe0d16ae931b73c59d7e0c089c0:::
John:1001:aad3b435b51404eeaad3b435b51404ee:47fbd6536d7868c873d5ea455f2fc0c9:::
HomeGroupUser$:1002:aad3b435b51404eeaad3b435b51404ee:91c34c06b7988e216c3bfeb9530cabfb:::

Crack this hask using john the ripper:

john --wordlist=/usr/share/wordlists/rockyou.txt --format=nt hash.txt

[Task 3] Analysis