 What's going on everybody? My name is John Hammond and welcome to some Otter CTF This competition went on just last week and it showcased some pretty cool memory forensics challenges So I want to showcase some of them to kind of get your feet with with with volatility if you haven't seen it before and Hopefully we'll get into some cool stuff looks like this these challenges are kind of out of order Just how CTF do you want to put them in but whatever we'll start with number one What the password for a hundred points you got a sample of Rick's PC's memory Can you get his user password and flag format is in CTF? There's a download link here, which you can go ahead and download It is I think 500 megs. So it's a little bit. It's pretty hefty It's a seven zip file so you can extract it with like seven ZE and then the Otter CTF dot seven Z file name. I do have it downloaded already. It's just a virtual memory file Believe that's yeah, okay data whatever cool next up once that's downloaded and you've got it available You are going to want the tool volatility. So if you don't already have it downloaded I know I think it's somewhere in the Ubuntu repositories. Let's add get to that great I know it's somewhere in the ball the Ubuntu repositories But I think it's always best to go from the the the simple git page So what I've done is actually I normally put my software in opt And I actually already have it in here. So let's just kind of clear that out RM dash RM dash RF is always like the scariest thing for me to type I just get super worried, you know, you're gonna totally destroy my computer here So if you don't have git you can still happen. So I'll get but you're all going to want to get clone this And once you have volatility downloaded and everything the setup.py file is what you want to work with so Python setup.py You can just give it an argument install and then you can just pseudo that so it'll go ahead and create everything for you Once you're done, you should see a vol.py or the vol volatility Python script in your path Looks like that's all done So now if I try pin vol and then tab tab autocomplete I can have vol.py I had to go ahead and install DI storm 3. So if you get a bunch of errors, it's like missing DI storm 3 Whatever you can I think pseudo I should just be pip install DI storm 3 And then I had to use tack tack user to specify just want it for my account So all right now let's go back to it CTF auto CTF forensics great now Let's run volatility dot pi and if you haven't used volatility before it's interesting because you need to kind of Understand the profile or the specific kind of image that you're working with so yeah You can say I want to work with this file tack f auto CTF or whatever file you want to work with but you need to give it a Function or kind of a thing to do so if you haven't seen what those things are you can go to volatility I Don't know functions is the right word for maybe it is volatility Get I'm just volatility get functions command reference. Okay. That's fine There we go all the things that we can do with volatility So image identification is the first thing that you need to do right you need to actually kind of tell volatility This is the kind of thing that I'm looking at this is the kind of memory file memory done that I'm looking at So the way you could do that is specifying yet tack f will specify the file for me But the process or the command that I want to run is just this following following syntax with a space So image info will search in the database as to what this potentially could be and then once you've kind of determined one You can normally just take the first bet as okay I'll trust that or at least I'll see if it'll work with tack tack profile equals whatever it suggests for us So let's go ahead and try that let's use Tack tack. I'm sorry. No, we need to run image info on it first And then once it determines the profile for us then we can say that's the profile that I want Takes a little bit of time but at the end we should be greeted that hey the File that we're working with what is suggested for us is actually I had to pause the video so that the Timing would work out. Well, that's suggesting Windows 7 service pack 164 bit. Cool. Let's try that. Let's use profile with this and We need to tell it something to do now that we've just passed in the profile as kind of an argument So let's go back to this command reference and see what we can really do So there's a lot of really cool things right that volatility can do in this memory dump We can list processes see the commands will run get open files console commands, etc Even look at specific processes or dump them just grab the executable, etc But this challenge is asking us to determine a user password So what we may as well do is just in the command reference. Let's control f for password And this brings us to LSA dump or to dump LSA secrets on the registry use the LSA dump command This exposes information such as the default password. We're systems with auto login enabled RDP public key and credentials used by DP API So all we need to do is now that we've specified the profile where no we know the actual memory file that we're working with We'll just give it LSA dump as the command to run. So let's see if we get any luck with that Let's try LSA dump Takes a bit of time But once it carves through all that memory looks like we've got some results here We can see the default password whatever. We're bleeding out of memory here And it looks like Morty is really an order So I am going to kind of take the the queue and the signal with that that is more than likely the flag Or at least the password that we're looking for so let's just type that out without those Really, I don't know what I was thinking that really an order Now let's copy that and let's go ahead and submit it for that points Well, Morty is really an order is really an order I want to say that that's just because the competition is over. It's not letting me submit flags But hopefully you still have gone through the process right and understand what volatility is doing and how that's all working So yes, the flag is there, but maybe the fact that we can't submit it is not important So really just getting the practice and with learning volatility with some of the functions and commands and doing interesting stuff Is where the magic is at so I Hope you guys enjoyed this video. Thank you for watching and before I go I want to give a quick shout-out to the people that support me on patreon Thank you guys so much one dollar a month or more on patreon will give you a special shout-out Just like this at the end of every video one dollar or more. Oh I don't know where my mind's going five dollars or more on patreon will give you Early access to all the content that I release on YouTube before it goes live So if I have a lot of videos backed up and kind of pre-recorded ready for YouTube to gradually release them You can have them right when it's hot right when it's ready just five dollars a month on patreon And I'm grateful for your support anything that you're willing to give I'm just so so thankful for your donations Thank you so much. If you did like this video, please do like comment and subscribe join our discord server link in the description It's a cool community full of CTF players programmers and hackers and special shout-out to sinister matrix void update and cave venom For really stepping up to step it up to a plate and be in the moderators there while I while I am away So thank you. Hope you guys enjoyed this video. I love you. I'll see you in the next one