Registry (Smart City, 250p)

Now you must be a master of Windows registry. Set of files were recovered from backup of a Windows machine.
They are at registry.tar.xz.
You have to dig deep into the files and prove that you can process every piece of data that is in there.
The files can be broken or incomplete, but this just adds fun for a proper forensic engineer, right?
What is SHA-256 hash of the registry cell that contains value of HKLM\SYSTEM\ControlSet001\Control\Lsa\LimitBlankPasswordUse?
Submit the answer in hex-printed from, lower-case letters, without any separators.

solution

Archive contains Windows registry hives. 

# tar -vtf registry.tar.xz
-rwxrwxr-x rainn/rainn 3932160 2021-09-30 13:21 DRIVERS
-rwxrwxr-x rainn/rainn   65536 2021-09-30 13:21 SAM
-rwxrwxr-x rainn/rainn   32768 2021-09-30 13:21 SECURITY
-rw-rw-r-- rainn/rainn 12518400 2021-09-30 13:21 SOFTWARE
-rw-rw-r-- rainn/rainn 10244096 2021-09-30 13:21 SYSTEM

Two of the hives - SOFTWARE and SYSTEM are broken. They are missing header. 

# file DRIVERS SAM SECURITY SOFTWARE SYSTEM
DRIVERS:  MS Windows registry file, NT/2000 or above
SAM:      MS Windows registry file, NT/2000 or above
SECURITY: MS Windows registry file, NT/2000 or above
SOFTWARE: data
SYSTEM:   data

It can be fixed by manually creating the header by carefully reading Windows registry file format specification or for a quick-win, a header from other files can be used (e.g. adding DRIVERS header to SYSTEM). Of course doing it in a quick-win way is not perfect and will lead to some erroneous data, but at least, some GUI and console then tools allow to view the contents of the hive.

That allows to find that value of HKLM\SYSTEM\ControlSet001\Control\Lsa\LimitBlankPasswordUse is 1 in SYSTEM hive. But this is the place, where pause was taken, as submitting flag in various combination didn't lead to anything.

Resuming the task and re-reading task's description countless times, an idea came to mind. Why does flag need to be in sha256 format? It's usually meant for submitting binary data. Idea is to submit raw/binary registry cell, where HKLM\SYSTEM\ControlSet001\Control\Lsa\LimitBlankPasswordUse is located.

Quickly re-reading Windows registry file format specification about cell format and extracting raw/binary cell, hashing it and submitting, lead to victory. 

# hexdump -vC SYSTEM | grep -B2 -A2 LimitBlank
0007ad50  69 74 69 6e 67 00 00 00  d0 ff ff ff 76 6b 15 00  |iting.......vk..|
0007ad60  04 00 00 80 01 00 00 00  04 00 00 00 01 00 00 00  |................|
0007ad70  4c 69 6d 69 74 42 6c 61  6e 6b 50 61 73 73 77 6f  |LimitBlankPasswo|
0007ad80  72 64 55 73 65 00 00 00  e0 ff ff ff 76 6b 08 00  |rdUse.......vk..|
0007ad90  04 00 00 80 01 00 00 00  04 00 00 00 01 00 00 00  |................|
# echo 'd0 ff ff ff 76 6b 15 00 04 00 00 80 01 00 00 00  04 00 00 00 01 00 00 00 4c 69 6d 69 74 42 6c 61  6e 6b 50 61 73 73 77 6f  72 64 55 73 65 00 00 00' | xxd -r -p | sha256sum
a6b4328c8320288dcb199feaddcd0c15fa4766db029afca721b0d2116b11b38f  -

Flag is a6b4328c8320288dcb199feaddcd0c15fa4766db029afca721b0d2116b11b38f.

Buy Me A Coffee