Window Pains 2

Challenge:

Using the memory dump file from Window Pains, submit the victim's computer name.

Submit the flag as flag{COMPUTER-NAME}.

Solution:

Using Volatility 3 we can retrieve the computer name from the ComputerName registry key located in the SYSTEM registry hive. First we need to determine the memory offset for the hive:

$ ~/Tools/volatility3/vol.py -f physmemraw windows.registry.hivelist.HiveList | grep SYSTEM

0xab09bee55000.0&$\REGISTRY\MACHINE\SYSTEM	Disabled

With the correct offset value we can retrieve the ComputerName key from the hive:

$ ~/Tools/volatility3/vol.py -f physmemraw windows.registry.printkey.PrintKey --offset 0xab09bee55000 --key 'ControlSet001\Control\ComputerName\ComputerName'

Last Write Time	Hive Offset	Type	Key	Name	Data	Volatile

2021-08-06 13:01:54.000000 	0xab09bee55000	REG_SZ	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\ComputerName\ComputerName	(Default)	"mnmsrvc"	False
2021-08-06 13:01:54.000000 	0xab09bee55000	REG_SZ	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\ComputerName\ComputerName	ComputerName	"DESKTOP-IT8QNRI"	False

The accepted flag was, flag{DESKTOP-IT8QNRI}