Not So Complicated

Challenge:

Using the memory dump file from Window Pains, crack and submit Jimmie's password. Submit the flag as flag{cleartext_password}.

Solution:

This was a fairly straight-forward challenge when leveraging Volatility's HashDump plugin:

$ ~/Tools/volatility3/vol.py -qf physmemraw windows.hashdump.Hashdump
Volatility 3 Framework 2.0.0

User	rid	lmhash	nthash

Administrator	500	aad3b435b51404eeaad3b435b51404ee	31d6cfe0d16ae931b73c59d7e0c089c0
Guest	501	aad3b435b51404eeaad3b435b51404ee	31d6cfe0d16ae931b73c59d7e0c089c0
DefaultAccount	503	aad3b435b51404eeaad3b435b51404ee	31d6cfe0d16ae931b73c59d7e0c089c0
WDAGUtilityAccount	504	aad3b435b51404eeaad3b435b51404ee	0b51f04cf2a0d8f6f4469cd628a78776
Jimmie	1001	aad3b435b51404eeaad3b435b51404ee	0d757ad173d2fc249ce19364fd64c8ec
Admin	1003	aad3b435b51404eeaad3b435b51404ee	29b0d58e146d70278c29dc70f74f1e5d

Jimmie's password choice was very poor and a quick Google search for the hash identified the plaintext.

The accepted flag was, flag{qwertyuiop}