This project just follows this excellent write-up from MDSec: Analysing LastPass, Part 1.
https://www.google.com/chrome/
https://learn.microsoft.com/en-us/sysinternals/downloads/process-explorer
https://mh-nexus.de/en/hxd/
https://www.lastpass.com/Click the "Get LastPass Free" button.
Fill in the form, as shown below.
Use a disposable email address, such as YOURNAME@mailinator.com.
Click the "Sign Up-It's Free" button.
There are several Chrome processes, as shown below.
Hover the mouse over a Chrome process to see its command line.
Find the process with this switch, outlined in red in the image below:
-- extension-process
In the Properties sheet, click the Job tab.
Find the PID (Process ID). When I did it, the PID was 2684, as shown below.
From the menu bar, click Tools, "Open main memory...".
Find the Process ID of the process containing the LastPass extension, as shown below, and double-click it.
Search for testuser, as shown below.
F 211.1: Password Label (15 pts)
The flag is the word before your unencrypted password, covered by a green rectangle in the image below.
https://getfirefox.com
https://www.keepersecurity.comAt the top right, click "Try it Free".
Click "Personal and Family".
Enter a disposable email address ending in mailinator.com and click "Try it Free Now".
Create an account, log in, and go through the Quick Start process, as shown below.
Add a Secure Note to your Vault containing the string CCSF#.
Install the Browser Extension.
F 211.2: Finding the Process Containing Private Data (10 pts)
Launch Process Explorer. Click View, "Lower Pane View", DLLs.Click View, "Show Lower Pane".
Find the process with the module firefox@keepersecurity.com loaded, as shown below.
The flag is covered by a green rectangle in the image below.
Search for the string CCSF# to see your private data, as shown below.
Posted 10-23-2021
Keeper added 11-3-22
Lastpass link fixed 11-29-22
Flag 2 changed 12-3-22