HackVent 2023 - [HV23.06] Santa should use a password manager

Difficulty: Easy

Categories: Fun, Forensic

Author: wangibangi

Santa is getting old and has troubles remembering his password. He said password Managers are too complicated for him and he found a better way. So he screenshotted his password and decided to store it somewhere handy, where he can always find it and where its easy to access.

We get a memory dump of a windows machine. I used MemProcFS to mount the image:

$ ./memprocfs -device memory.raw -mount ~/memprocfs -forensic 1

Then, after analyzing, I found a wallpaper.png file and decided to copy it to my local filesystem:

$ cp ./forensic/files/ROOT/Users/santa/AppData/Local/Packages/Microsoft.Windows.Photos_8wekyb3d8bbwe/LocalState/PhotosAppLockscreen/ffff918b76c54860-wallpaper.png /tmp/wallpaper.png

The pictures in the Pictures folder seemed corrupted but the cache in AppData contained a version of the image that seemed just fine:

Upon scanning the QR code, we get the flag: HV23{FANCY-W4LLP4p3r}