Jett's blog

dctf 2022 Problem Secure Creds Writeup

Posted on Apr 18, 2022

The problem

link to the problem(requires login)

Solution

First, download the zip file, and unzip it.

You should see the file lsass.DMP

To check the filedump type, use the file command:

file lsass.DMP

output: lsass.DMP: Mini DuMP crash report, 16 streams, Sat Apr 9 02:47:27 2022, 0x421826 type

After a google search, the term lsass stands for “Local Security Authority Server Service,” and after searching the keywords “lsass minidump” together, you would encounter a tool called Mimikatz

Finally:

  • open up a windows vm if you’re not on windows
  • disable windows defender
  • download&extract mimikatz_trunk
  • move lsass.DMP to mimikatz_trunk folder
  • cd to x64 folder and execute mimikatz.exe
  • execute the commands:
cd ../
sekurlsa::minidump lsass.aDMP
sekurlsa::logonPasswords

The results:

Inside tspkg, we can see that the password(aka. the flag) is dctf{n0_ant1v1ru5_l0l}