Challenge
Forensics challenge at HackDay 2026. We get a Windows disk image and one hint: the home belongs to invited only.
Pretty straightforward hint, it’s pointing at user accounts and access control. First reflex: pull the credentials.
Dumping the live hive
We run secretsdump from Impacket against the SYSTEM32 hives on the image:
secretsdump -sam SAM -system SYSTEM LOCALAdministrator:500:aad3b435b51404eeaad3b435b51404ee:31d6cfe0d16ae931b73c59d7e0c089c0:::
guest:501:aad3b435b51404eeaad3b435b51404ee:31d6cfe0d16ae931b73c59d7e0c089c0:::
*disabled*:503:aad3b435b51404eeaad3b435b51404ee:31d6cfe0d16ae931b73c59d7e0c089c0:::
*disabled*:504:aad3b435b51404eeaad3b435b51404ee:31d6cfe0d16ae931b73c59d7e0c089c0:::
ringbearer:1001:aad3b435b51404eeaad3b435b51404ee:31d6cfe0d16ae931b73c59d7e0c089c0:::Every single NT hash is 31d6cfe0d16ae931b73c59d7e0c089c0, the well-known hash for an empty password. Not crackable, not useful. The live hive is a dead end.
Finding the .bak files
Digging through the filesystem we find a folder /document/old/ with a bunch of .bak files. Running file on all of them to figure out what we’re working with:
file *.bak317f1e761f2faa8da781a4762b9dcc2c5cad209a.bak: MS Windows registry file, NT/2000 or above
8eec7bc461808e0b8a28783d0bec1a3a22eb0821.bak: MS Windows registry file, NT/2000 or above
c981d125d1a564c9f5738faff51d59d98711f145.bak: MS Windows registry file, NT/2000 or above
f16bed56189e249fe4ca8ed10a1ecae60e8ceac0.bak: MS Windows registry file, NT/2000 or above
f873f39163f5b43dbf1fee63cbce284074896221.bak: 7-zip archive data, version 0.4Four Windows registry backup hives and one 7-zip archive. The Windows registry stores SAM (Security Account Manager) backups that contain the same credential data as the live hive — just frozen at a point in time. Listing the contents of the archive we can already see flag.txt inside. That’s the endgame. Now we need the password.
Dumping the backup SAM
The registry backups are exactly what we need. f16bed5... looks like a SAM backup and 317f1e7... is the SYSTEM hive needed to decrypt it — the SYSTEM hive holds the syskey used to encrypt the SAM, so you always need both. We run secretsdump again against the backups:
secretsdump \
-sam f16bed56189e249fe4ca8ed10a1ecae60e8ceac0.bak \
-system 317f1e761f2faa8da781a4762b9dcc2c5cad209a.bak \
LOCALAdministrator:500:aad3b435b51404eeaad3b435b51404ee:209c6174da490caeb422f3fa5a7ae634:::
guest:501:aad3b435b51404eeaad3b435b51404ee:5591dab10212457bbce3c99927ed7bc0:::
DefaultAccount:503:aad3b435b51404eeaad3b435b51404ee:31d6cfe0d16ae931b73c59d7e0c089c0:::
WDAGUtilityAccount:504:aad3b435b51404eeaad3b435b51404ee:e5785e26e90569fee749be90b1c6a7a6:::
ringbearer:1001:aad3b435b51404eeaad3b435b51404ee:5e8a41106cf5fece3ab30d2f668c886f:::
gandalftw:1012:aad3b435b51404eeaad3b435b51404ee:98815f8c88e7b2dcf5603d14ef48f3f2:::
samwiseg:1013:aad3b435b51404eeaad3b435b51404ee:dcd99365563e67eb8fbe8c9d83b0ca6c:::
aragornii:1014:aad3b435b51404eeaad3b435b51404ee:9146cf0dfda2169b163869bedb8457ae:::
legolasg:1015:aad3b435b51404eeaad3b435b51404ee:91268860a660d8cff4aef11b6550c11e:::Now we have real hashes. The user list looks like a full Lord of the Rings roster which is very on theme for a challenge called Ringbearer. We start with guest since it was in the original dump too. Looking up 5591dab10212457bbce3c99927ed7bc0 on hashes.com gives us youareinvited.
The hint told us the archive password follows the format user @ secret, so:
guest@youareinvitedOpening the archive with those credentials we find a note inside with one line:
“I Can’t Carry It For You… But I Can Carry You!”
That’s Sam Gamgee’s line from Return of the King, which maps straight to samwiseg in the dump. We throw dcd99365563e67eb8fbe8c9d83b0ca6c into hashes.com and get TheHelper. Same format as before:
samwiseg@TheHelperGetting the flag
We open the 7-zip archive with the samwiseg credentials:
7z x f873f39163f5b43dbf1fee63cbce284074896221.bak -psamwiseg@TheHelperflag.txt extracted. GG.