Forensic CTF Challenge
I would like to share about the solution of CTF challenge involving forensic category.
Challenge file: MemLabs_Lab1
Note: This challenge is composed of 3 flags.
We will be using the following list of tools:
- Volatility
- file
- gimp
- Crack Station website
Volatility: With this, we can examine a dump of a computer’s volatile memory and determine whether it is infected. Using this program, we may access data (such as currently active programs, recently altered files, or the user’s browsing history) stored in the computer’s RAM.
First identify the system profile:
With -f specifying your dump file and imageinfo the volatility plugin we want to use. We should obtain the following result:
We now know the operating system of the machine that generated this memory dump (Win7SP0x64). With the victim’s operating system profile sent to volatility (with the — profile=Win7SP0x64 option), we can begin our investigation and hopefully discover what actually happened.
First flag:
So, using the pslist plugin, let’s check out what processes were active.
Let’s now look at the last commands ran, by using cmdscan, consoles and cmdline plugins.
Using cmdscan, plugin we can obtained the following information as shown in the screenshot.
Using Consoles plugin:
Data was present in the buffers of the first two plugins, consoles (which collects command history by scanning for _CONSOLE INFORMATION) and cmdscan (which extracts command history by scanning for _COMMAND HISTORY).
There is base64 encoded text in the output of St4G3$1 and we will get our first flag after decoding the base64 text as shown in the above screenshot.
Second flag:
There was helpful data obtained from the cmdline plugin, which shows command-line inputs with process id as shown in the screenshot below.
Next, we will search for mspaint.exe with the PID of 2424 and seems interesting if there was something in the MS paint while capturing the memory, we may get another flag. I want to start by dumping the actual process into a smaller file we can work with. To do this, we can use the following command, where -D indicates the directory that we want to store the dump file, and -p is the PID of mspaint:
Using memdump plugin to extract the data of Mspaint.exe.
2424.dmp file was extracted dump file, but the file is raw data file of image. So, changing the extension to .data will allow us to use with gimp tool.
After few trials and error of different width and offset, I was able to reproduce the good-looking image. It was flipped so, I decided to rotate it 180 degrees then flipped it horizontally. There was our second flag as seen in the screenshot above.
Third flag:
We can then use the volatility tool to navigate into hives and print the content of registry keys. The hivelist plugin allow us to print the list of registry hives.
Now, with the virtual offset of SYSTEM and SAM, we can extract the hashes.
There was administrator login, guest login and Alissa Simpson user login.
Finally, we can crack the NTLM hash using Crack station website online or hydra tool in Linux OS.
There was another process of winrar.exe with PID 1512. Let’s extract the command line used with the winrar.exe using the cmdline plugins and grep command.
Here, we got the name of the rar file which is Important.rar. Next, we used filescan plugin to get the physical offset of that file in memory. Now, it’s time to extract that file using dumpfiles plugin and using one of the offsets as show in the following screenshot.
After, dumping the file I used file command to check the filetype and it shows RAR archive data. I changed the extension of file to RAR and extracted it with password reveals the next flag which was in flag3.png as shown in the below screenshot.
Hope you enjoy my write up don’t forget to leave a comment below if you have any suggestion. Thank You !
Also follow me on twitter :) :> https://twitter.com/c15c01337
