 Hey YouTube, this is John Hammond with some more otter CTF and memory forensics with the volatility framework So let's move on to the second challenge. This one's called general info 75 points and it asks Let's start easy. What's the PC's name and the IP address? So we actually will use the flag format this time I was able to submit the previous one because I remembered that I needed a rapid end CTF So sorry about that. Anyway, let's move on to it. We have our Virtual memory already downloaded. We have volatility all set up and we can just kind of use it with the profile equals Oh boy, I kind of forget what it is It's the win seven service pack one x64. Okay, cool So now let's actually try and figure out what we can do to determine the PC or the computer's name and IP address So let's take another look at the command reference what we can really do if we want to get the computer's name, right? We can look at processes. We can look at DLLs. We can look at open files or commands or entered environment variables, etc. Maybe Envars will work for us display of processes and vars plug-in Will this actually give us a computer computer name? Maybe It's worth checking out doesn't look like this does Let's try it Envars that's kind of a fun of volatility, right? Oh boy. Okay. This is doing it for like every single Like jeez every single process either but looks like it did even find one just in Windows PowerShell, right computer name. That's right there. That works just fine for us Nice. Okay. There's our computer name. We can go ahead and copy that They're literally just checking out the environment variables for any of these possible programs are just entering it We'll track down the computer name as an environment variable Another option and what I had kind of done originally was I tried to determine where in registry is at the Like computer name. So I actually just Google that like Windows registry computer name and then try to track it down Wanted to see Okay, here is a reference in HKEY local machine system can control set current computer name so we can copy that and we can try and view it because Thankfully volatility offers a way to just print a key in the registry so we can check out how that works It's just using print key and then tack K Which I'm assuming is going to only be looking in local machine I don't know if it's able to view others because it looks like that Syntax or the front of it is could just kind of cut off. So if I were to try that We can use print key underscore, right lower capital K is the argument and then let's remove System and HKEY local machine now if I tried a current control set Print key No underscore my bad It told me originally That the requested key cannot be found in the hive search. So I thought hmm That's odd. Maybe it just can't see it in the current control set. So I actually tried another one I tried control set 001 which is another one that is a default or at least Maybe not a default but another option for where the current controls like not the current control set But a control set could be I mean if you if you've seen Windows registry It's a mess, right? Like there's plenty of places that stuff could be found But control set 001 is a thing and we can get the exact same result Okay, computer name is going to equal the exact same string that we saw when we were checking out the environment variables So now we've got two ways to skin a cat kind of cool to showcase that but that's the flag for the computer name Let's go ahead and submit that let's check it out. See if we can do CTF paste that in Please actually submit. All right, cool. Now. Let's get the IP address. This one is not too difficult If you wanted to look at the command references, you can just go in like search for network things Or if you actually just check out the very very top of this You can see that we have an option net scan And that will kind of dump all of the connections that are made between this computer and others Essentially, it's like a net stat command If we actually go ahead and try and run it on ours You can see that most of these like actual references or actually these connections that we're looking at have a local IP address Right 192.168 is something that will be local to us or at least local to the local area network or the land that we're In and expected to be working with that's a private IP space So I see a lot of repetition between 192.168 202 131 and I'm gonna assume that that's us considering it's calling out to other programs like bit torrent Etc etc Let's go ahead and try and submit that and see how it works. Looks like it's also getting Yeah, bit torn is reaching out to other things and listening on those ports. So we can assume that that is our computer CTF Pace it in wrap the flag syntax hit the submit button and that is also correct. So awesome That's how we can track down some more information with volatility awesome toolkit awesome framework And totally a lot that you can like explore and find whenever you just get a memory dump There are plenty that you can kind of carve through and dig out with these commands here So I definitely recommend trying to explore them and just learn a little bit more about them to see what you can carve through and hopefully I'll cover more of it as we go through more of these challenges That is the end of the video everybody. Thank you so much for watching if you did like this video Please do like comment and subscribe But before I go I want to give a quick shout out to the people that support me on patreon I can't thank you guys enough one dollar a month or more on patreon will give you a special shout out Just like this at the end of every video. It's totally not necessary. I know it's not a whole lot But maybe just a little feel-good feeling warm fuzz in your heart gets a merit and just helping out a dude Put food on the table and I'm very very grateful and thank you for that Five dollars a month or more will give you early access to all the videos I create and put on YouTube normally like to record things and kind of in bulk and backlog of stuff that I've Pre-recorded and like YouTube gradually release them like maybe every day or every other day if you want the content right when it's ready Why when I have it recorded? I'll throw it in that Google Drive folder and you can actually just go ahead and download it watch it yourself and It's just good stuff man. It's great. Let me sell it to you. There's my pitch Five dollars a month or more and I'm very very grateful for all your support donations. So thank you so much Hey, please do join our discord server link in the description It is a cool community full of CTO players programmers and hackers. We're almost at 2,000 people right now So if you want to join the party help out with that initiative, please do special shout out to sinister matrix K Venom one and void update for stepping up to the plate to be the leaders and moderators there in my absence So thank you guys so much. Hopefully I'll remember to keep Giving you a shout out at the end of every video fingers crossed. Alrighty talk soon. Love you. Hope to see you in the next video