Apr 5, 2021
3 min read
Memory Forensics-TryHackMe
Perform memory forensics to find the flags
This is a quick write-up for TryHackMe room named Memory Forensics. You can find this room here:- https://tryhackme.com/room/memoryforensics
Get Volatility from here: https://github.com/volatilityfoundation/volatility/
[Task 2] Login
What is John’s password?
Download the memory dump for this task and first of all get the “ImageInfo”:
$ python /opt/tools/volatility/vol.py -f Snapshot6.vmem imageinfo
Volatility Foundation Volatility Framework 2.6.1
INFO : volatility.debug : Determining profile based on KDBG search...
Suggested Profile(s) : Win7SP1x64, Win7SP0x64, Win2008R2SP0x64, Win2008R2SP1x64_24000, Win2008R2SP1x64_23418, Win2008R2SP1x64, Win7SP1x64_24000, Win7SP1x64_23418
AS Layer1 : WindowsAMD64PagedMemory (Kernel AS)
AS Layer2 : FileAddressSpace (/tmp/Snapshot6.vmem)
PAE type : No PAE
DTB : 0x187000L
KDBG : 0xf80002c4a0a0L
Number of Processors : 1
Image Type (Service Pack) : 1
KPCR for CPU 0 : 0xfffff80002c4bd00L
KUSER_SHARED_DATA : 0xfffff78000000000L
Image date and time : 2020-12-27 06:20:05 UTC+0000
Image local date and time : 2020-12-26 22:20:05 -0800Now lets dump the hashed for “Win7SP1x64” using the module “hashdump”
$ python /opt/tools/volatility/vol.py -f Snapshot6.vmem --profile=Win7SP1x64 hashdump
Administrator:500:aad3b435b51404eeaad3b435b51404ee:31d6cfe0d16ae931b73c59d7e0c089c0:::
Guest:501:aad3b435b51404eeaad3b435b51404ee:31d6cfe0d16ae931b73c59d7e0c089c0:::
John:1001:aad3b435b51404eeaad3b435b51404ee:47fbd6536d7868c873d5ea455f2fc0c9:::
HomeGroupUser$:1002:aad3b435b51404eeaad3b435b51404ee:91c34c06b7988e216c3bfeb9530cabfb:::Crack this hask using john the ripper:
john --wordlist=/usr/share/wordlists/rockyou.txt --format=nt hash.txt
[Task 3] Analysis
First get the “imageinfo” for this dump just to check the if it the same:
$ python /opt/tools/volatility/vol.py -f Snapshot19.vmem imageinfo
Volatility Foundation Volatility Framework 2.6.1
INFO : volatility.debug : Determining profile based on KDBG search...
Suggested Profile(s) : Win7SP1x64, Win7SP0x64, Win2008R2SP0x64, Win2008R2SP1x64_24000, Win2008R2SP1x64_23418, Win2008R2SP1x64, Win7SP1x64_24000, Win7SP1x64_23418
AS Layer1 : WindowsAMD64PagedMemory (Kernel AS)
AS Layer2 : FileAddressSpace (/tmp/Snapshot19.vmem)
PAE type : No PAE
DTB : 0x187000L
KDBG : 0xf80002bfd0a0L
Number of Processors : 1
Image Type (Service Pack) : 1
KPCR for CPU 0 : 0xfffff80002bfed00L
KUSER_SHARED_DATA : 0xfffff78000000000L
Image date and time : 2020-12-27 23:06:01 UTC+0000
Image local date and time : 2020-12-28 00:06:01 +0100When was the machine last shutdown?
Use module “shutdowntime” to Print ShutdownTime of machine from registry
$ python /opt/tools/volatility/vol.py -f Snapshot19.vmem --profile=Win7SP1x64 shutdowntime
Volatility Foundation Volatility Framework 2.6.1
Registry: SYSTEM
Key Path: ControlSet001\Control\Windows
Key Last updated: 2020-12-27 [REDACTED] UTC+0000
Value Name: ShutdownTime
Value: 2020-12-27 [REDACTED] UTC+0000What did John write?
Use module “consoles” to Extract command history by scanning for _CONSOLE_INFORMATION.
$ python /opt/tools/volatility/vol.py -f Snapshot19.vmem --profile=Win7SP1x64 consoles
Volatility Foundation Volatility Framework 2.6.1
**************************************************
ConsoleProcess: conhost.exe Pid: 2488
Console: 0xffa66200 CommandHistorySize: 50
HistoryBufferCount: 1 HistoryBufferMax: 4
OriginalTitle: %SystemRoot%\System32\cmd.exe
Title: Administrator: C:\Windows\System32\cmd.exe
AttachedProcess: cmd.exe Pid: 1920 Handle: 0x60
----
CommandHistory: 0x21e9c0 Application: cmd.exe Flags: Allocated, Reset
CommandCount: 7 LastAdded: 6 LastDisplayed: 6
FirstCommand: 0 CommandCountMax: 50
ProcessHandle: 0x60
Cmd #0 at 0x1fe3a0: cd /
Cmd #1 at 0x1f78b0: echo THM{REDACTED} > test.txt
Cmd #2 at 0x21dcf0: cls
Cmd #3 at 0x1fe3c0: cd /Users
Cmd #4 at 0x1fe3e0: cd /John
Cmd #5 at 0x21db30: dir
Cmd #6 at 0x1fe400: cd John
----
Screen 0x200f70 X:80 Y:300
Dump:
C:\>cd /Users
C:\Users>cd /John
The system cannot find the path specified.
C:\Users>dir
Volume in drive C has no label.
Volume Serial Number is 1602-421F
Directory of C:\Users
12/27/2020 02:20 AM <DIR> .
12/27/2020 02:20 AM <DIR> ..
12/27/2020 02:21 AM <DIR> John
04/12/2011 08:45 AM <DIR> Public
0 File(s) 0 bytes
4 Dir(s) 54,565,433,344 bytes free
C:\Users>cd John
C:\Users\John>[Task 4] TrueCrypt
First get the “imageinfo” for this dump just to check the if it the same:
$ python /opt/tools/volatility/vol.py -f Snapshot14.vmem imageinfo
Volatility Foundation Volatility Framework 2.6.1
INFO : volatility.debug : Determining profile based on KDBG search...
Suggested Profile(s) : Win7SP1x64, Win7SP0x64, Win2008R2SP0x64, Win2008R2SP1x64_24000, Win2008R2SP1x64_23418, Win2008R2SP1x64, Win7SP1x64_24000, Win7SP1x64_23418
AS Layer1 : WindowsAMD64PagedMemory (Kernel AS)
AS Layer2 : FileAddressSpace (/tmp/Snapshot14.vmem)
PAE type : No PAE
DTB : 0x187000L
KDBG : 0xf80002c4d0a0L
Number of Processors : 1
Image Type (Service Pack) : 1
KPCR for CPU 0 : 0xfffff80002c4ed00L
KUSER_SHARED_DATA : 0xfffff78000000000L
Image date and time : 2020-12-27 13:41:31 UTC+0000
Image local date and time : 2020-12-27 05:41:31 -0800What is the TrueCrypt passphrase?
Use module “truecryptpassphrase” to find TrueCrypt Cached Passphrase
┌──(kali㉿kali)-[/tmp]
└─$ python /opt/tools/volatility/vol.py -f Snapshot14.vmem --profile=Win7SP1x64 truecryptpassphrase
Volatility Foundation Volatility Framework 2.6.1
Found at 0xfffff8800512bee4 length 11: [REDACTED]That’s all for today. Thanks for reading.
