Bad Memory

I spent a bit of time on this trying to get Volatility 2 to work with the Mimikatz plug-in. I was not successful. I was able to run the Volatility hashdump module.

I switched to Volatility3 and ran hashdump. For whatever reason the output of Volatility3 was different.

The only user besides the default accounts is for ‘Congo.’ Copy the hashed password and head over to https://hashes.com/en/decrypt/hash where we can search for the hash.

Yay, we got a match.

[Note: anecdotally I was advised that you could do this offline as well with Hashcat and the rockyou wordlist. I had tried that earlier but was using the Volatility2 output. :( ]

The last step is to convert ‘goldfish#’ to MD5.

Now just wrap it in the flag { } and you’re good to go.


Use the tag #HuntressCTF on BakerStreetForensics.com to see all related posts and solutions for the 2023 Huntress CTF.