The weekend of 03\/31\/2018 is pre-qualification for the Nuit du Hack 2018<\/a><\/strong>\u00a0as a Jeopardy CTF<\/strong>. Having had the opportunity and the time to participate with some colleagues and friends, here\u2019s a write-up resolution of the challenges which we could participate.<\/p>\n The challenge\u2019s goal is to access to a wallet content from a virtual machine and a memory dump provided in fournis dans l\u2019archive 7z.<\/p>\n To run VM, we create a new machine in VirtualBox and we attache the disk file whereismypurse.vdi<\/strong> to it. Once run, we see a Windows 7 system protected with a password\u00a0:<\/p>\n Win7 authentication<\/p><\/div>\n One possible option is to use a tool such as konboot<\/a>\u00a0to bypass Windows authentication. A loading of the tool\u2019s ISO at system startup allows us to log in as user SatNak without password.<\/p>\n On the desktop, we can see an executable named dcrinstall-windows-amd64-v1.1.2.exe<\/strong>. A quick search on the web tells us it is a tool related to the crypto currency \u00ab\u00a0Decred<\/strong>\u00a0\u00bb. The executable deploy the tool in the directroy %USERPROFILE%\\decred\\<\/strong>\u00a0:<\/p>\n <\/p>\n Binary in USERPROFILE<\/p><\/div>\n The tool\u2019s binaries are likely to provide access to the wallet mentioned in the description of the challenge. After playing a little with these executables, we note that a secret is necessary to continue the challenge.<\/p>\n It is assumed that this secret can be retrieved from the memory dump provided in the 7z archive. Let’s use Volatility to analyze this one:<\/p>\n Volatility identification<\/p><\/div>\n The list of running programs or commands tells us that a KeePass<\/strong> vault is launched:<\/p>\n Keepass detection<\/p><\/div>\n This process can be extracted using the following command:<\/p>\n A simple search for strings in the contents of this dump allows us to find the password contained in the Keepass<\/strong> vault:<\/p>\n Keepass password<\/p><\/div>\n Back in the VM, we run the executables dcrd.exe<\/strong> and drcwallet.exe<\/strong> and enter the password found previously when prompted:<\/p>\n\n
![\"Win7](\"https:\/\/www.asafety.fr\/wp-content\/uploads\/w01-300x249.png\")
<\/a>![\"Binary](\"https:\/\/www.asafety.fr\/wp-content\/uploads\/w02-300x249.png\")
<\/a>![\"Volatility](\"https:\/\/www.asafety.fr\/wp-content\/uploads\/w03-300x114.png\")
<\/a>![\"Keepass](\"https:\/\/www.asafety.fr\/wp-content\/uploads\/w04-300x86.png\")
<\/a>$ volatility -f whereismypurse.raw --profile=Win7SP1x64 --dump-dir=dump memdump -p 2212<\/pre>\n
![\"Keepass](\"https:\/\/www.asafety.fr\/wp-content\/uploads\/w05-300x131.png\")
<\/a>
![\"Run](\"https:\/\/www.asafety.fr\/wp-content\/uploads\/w06-300x148.png\")
<\/a>![\"Flag](\"https:\/\/www.asafety.fr\/wp-content\/uploads\/w07-300x136.png\")
<\/a>