Forensics - Secret Password Stash

--- ### Challenge Description I've created the best system for storing all my top-secret information. Hackers can't steal my secrets if I store them in a virtual machine, right? Unfortunately, I accidentally deleted the virtual machine. Oops! Luckily, I saved a memory capture. Can you help me recover my lost passwords? The flag will be in format - uCTF{flag} --- ### Summary In this challenge, a memory dump was analyzed to recover a lost password. By using the Volatility Framework, the password database of the software `pwsafe.exe` was identified and dumped. Two methods were then used to discover the master password: checking a `.txt` file and extracting it from the user's clipboard. Using this master password, the database was decrypted with Password Safe to retrieve the flag --- > Note that all commands are for Volatility 3, unless otherwise noted. ### Discover the Password Database Let's start by finding the Windows version: ```bash python3 vol.py -f memory.dmp windows.info ``` ![[images/Pasted image 20230902181713.png]] This memory dump uses Windows 6.1(Windows 7). Let's list the processes: ```bash python3 vol.py -f memory.dmp windows.pslist ``` ![[images/Pasted image 20230902181952.png]] The first binary that stands out is `pwsafe.exe`. This is likely the software that is storing the flag. After some research, I deducted this application uses the `.psafe3` file extension to store the password database. Search for any files with the `psafe3` file extension: ```bash python3 vol.py -f memory.dmp -o ../ windows.filescan | grep psafe3 ``` ![[images/Pasted image 20230902182640.png]] We found the password database. Let's dump it to our system, using the memory address we found in the previous step: ```bash mkdir dump_files python3 vol.py -f memory.dmp -o dump_files windows.dumpfiles --physaddr 0x3e1745d0 ``` ![[images/Pasted image 20230902182310.png]] We get the database dumped to our system. However, we need the master password to decrypt it. --- ### Discover the Master Password The master password can be discovered in several ways. 1. Find the `.txt` file that stores the master password in plain text: ```bash python3 vol.py -f memory.dmp windows.filescan | grep txt ``` ![[images/Pasted image 20230902182438.png]] Dump `note_to_self.txt` to disk using the previously displayed memory address: ```bash python3 vol.py -f memory.dmp -o dump_files windows.dumpfiles --physaddr 0x3fc6c180 ``` ![[images/Pasted image 20230902182757.png]] This file contains the master password. 2. Extract it from the user's clipboard (volatility2): ```bash # The profile was determined from the previous output of windows.info python vol.py -f memory.dmp --profile=Win7SP1x64 clipboard ``` ![[images/Pasted image 20230902183020.png]] Master Password: `thequickbrownfoxjumpedoverthelazydog` --- ### Decrypt the Database Download [Password Safe](https://www.fosshub.com/Password-Safe.html), and run it. Select the password database, enter the master password, and hit OK: ![[images/Pasted image 20230726233936.png]] Double click `flag []` to copy the flag to your clipboard: ![[images/Pasted image 20230726234007.png]] Flag: `uCTF{Suppa_secret_pa$word}`