Intro
As a frequently player on cybergames and ctf’s this year wanted play on prequal of Cybercamp CTF 2018 organized by INCIBE. This allows me to take a snapshot of the maturity and quality of both platforms and challenges, apart from having a good time solving some problems (not always played as tunelko :))
Description
A partner gives you a memory dump and tells you that you have lost the password, you will have to manage to find it, the password will be the FLAG. Your partner’s username is ThatDude.
Challenge
They give you «mi_memoria» file memory dump that is a MiniDump windows crash format. First, strings ftw.
Mimikatz it is a great tool to inspect lsass.exe as you can dump plaintext passwords from it. Some «clever» people will tell us that we don’t need plaintext passwords just the hash, during our pentest. Seems lsass.exe need wdigest plaintext passwords due some HTTP Authentication and other process. So inspecting «mi_memoria» minidump we can extract ThatDude password and flag: ImFreeWhyNot98
- Set minidump FILE to mimikatz: sekurlsa::minidump FILE
- Use mimikatz magic method: sekurlsa::logonPasswords
