10.12.2018


GVTs - wearegvts.com
OtterCTF - Memory Forensics - “What the password?”

Volatility is a useful tool for memory forensics.

First, we need to get the profile:
./vol.py -f OtterCTF.vmem imageinfo
Suggested Profile(s) : Win7SP1x64, Win7SP0x64, Win2008R2SP0x64, Win2008R2SP1x64_24000, Win2008R2SP1x64_23418, Win2008R2SP1x64, Win7SP1x64_24000, Win7SP1x64_23418

So, we can try to run lsadump command with profile to get the password:
./vol.py -f OtterCTF.vmem --profile=Win7SP1x64 lsadump
0x00000000  28 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00   (...............
0x00000010  4d 00 6f 00 72 00 74 00 79 00 49 00 73 00 52 00   M.o.r.t.y.I.s.R.
0x00000020  65 00 61 00 6c 00 6c 00 79 00 41 00 6e 00 4f 00   e.a.l.l.y.A.n.O.
0x00000030  74 00 74 00 65 00 72 00 00 00 00 00 00 00 00 00   t.t.e.r.........

Password is MortyIsReallyAnOtter.
And the flag is:
CTF{MortyIsReallyAnOtter}