WE DON’T EVEN KNOW EITHER WE DON’T EVEN KNOW EITHER WE DON’T EVEN KNOW EITHER WE DON’T EVEN KNOW EITHER WE DON’T EVEN KNOW EITHER WE DON’T EVEN KNOW EITHER WE DON’T EVEN KNOW EITHER WE DON’T EVEN KNOW EITHER
¯\_(ツ)_/¯
Urmia CTF – Secret Password Stash
3 min read
Avatar of jakesss jakesss
forensics
volatility
memory dump
Table of Contents

This is my writeup for the UCTF’s Secret Password Stash.

Challenge Description

I’ve created the best system for storing all my top-secret information. Hackers can’t steal my secrets if I store them in a virtual machine, right? Unfortunately, I accidentally deleted the virtual machine. Oops! Luckily, I saved a memory capture. Can you help me recover my lost passwords? The flag will be in format - uCTF{flag}

Summary

In this challenge, a memory dump was analyzed to recover a lost password. By using the Volatility Framework, the password database of the software pwsafe.exe was identified and dumped. Two methods were then used to discover the master password: checking a .txt file, and extracting it from the user’s clipboard. Using this master password, the database was decrypted with Password Safe to retrieve the flag

Note that all commands are for Volatility 3, unless otherwise noted.

Discover the Password Database

Let’s start by finding the Windows version:

python3 vol.py -f memory.dmp windows.info

image This memory dump uses Windows 6.1(Windows 7).

Let’s list the processes:

python3 vol.py -f memory.dmp windows.pslist

image The first binary that stands out is pwsafe.exe. This is likely the software that is storing the flag. After some research, I deducted this application uses the .psafe3 file extension to store the password database.

Search for any files with the psafe3 file extension:

python3 vol.py -f memory.dmp -o ../ windows.filescan | grep psafe3

image

We found the password database. Let’s dump it to our system, using the memory address we found in the previous step:

mkdir dump_files
python3 vol.py -f memory.dmp -o dump_files windows.dumpfiles --physaddr 0x3e1745d0

image We get the database dumped to our system. However, we need the master password to decrypt it.

Discover the Master Password

The master password can be discovered in several ways.

  1. Find the .txt file that stores the master password in plain text:
python3 vol.py -f memory.dmp windows.filescan | grep txt

image

Dump note_to_self.txt to disk using the previously displayed memory address:

python3 vol.py -f memory.dmp -o dump_files windows.dumpfiles --physaddr 0x3fc6c180

image This file contains the master password.

  1. Extract it from the user’s clipboard (volatility2):
# The profile was determined from the previous output of windows.info
python vol.py -f memory.dmp --profile=Win7SP1x64 clipboard

image Master Password: thequickbrownfoxjumpedoverthelazydog

Decrypt the Database

Download Password Safe, and run it. Select the password database, enter the master password, and hit OK: image

Double click flag [] to copy the flag to your clipboard: image

Flag: uCTF{Suppa_secret_pa$$word}