rgbCTF 2020 write-up : Name a more iconic band

Awesome experience. Learnt a lot. The name of the challange: Name a more iconic band . It was in beginner category.

Link: https://ctftime.org/event/1042

So lets disscuss about the challange. It looked like this:

FIG: Challenge description

FIG: data file in compressed 7z format

FIG: Just decompressed data.7z

FIG: Checking FILE type

Now here it is said “core file” . I first though it might be openned using gdb so I tried that but failed. After some googling I found this is a dump file that normally used for future analysis. So first thing came to my mind is “Forensics” and for obvious reason next thing was “volatility” .

FIG: Checking about the coredump image using volatility

So my job is to find the windows password so i looked for two MUST HAVE component “SAM” & “SYSTEM” .

FIG: looking for SAM and SYSTEM from hivelist to retrive windows account password

Once I got the virtual address of both windows critical component, now I can have the hashdump of all user account 🙂

FIG: Just got the hashdump of all the win user account in NTLMv2 format

As expected, got the NTLMv2 hashes. Now I just need to crack all of them.

FIG: NTLMv2 hashes

So I checked for online password cracking site. crackstation.net

I choose this one cause I have 11 hashes and the site allows me to put upto 20 hashes at a time. 🙂 All see.. All the hashes got cracked.

FIG: Cracked all the hashes; NULL is the pass of guest account (can be ignored)

Just ignored the 2nd one as there is no password for guest account. After that I rearranged the password according to the alphabetical order as the challenge suggested.

FIG: following alphabetical order

FIG: in a line

FIG: md5 hash of that string

So the flag is rgbCTF{cf271c074989f6073af976de00098fc4}

Leave a Reply

Your email address will not be published. Required fields are marked *

Secured By miniOrange