MAGNET WEEKLY CTF #9
My first step was to look at the image with Volatility, so I needed to get the image info...
...then use pslist, to get an idea of which processes were running.
Of the many options, two stood out to me as potentially containing text – slack and WINWORD:
At first, despite my suspicions at the solution was as simple as creating an MD5 hash of my 3180.dmp file, I tried it because, after all, that is technically the file that I recovered the password from.
A grep of "uncrackable_password" in the MemProcFS file output found this: