MemLabs: Lab 1- Beginner's Luck (“Easy”)

29 June 2020

From https://github.com/stuxnet999/MemLabs: "MemLabs is an educational, introductory set of CTF-styled challenges which is aimed to encourage students, security researchers and also CTF players to get started with the field of Memory Forensics."

I'm a beginner when it comes to memory forensics- over the last few months I've been learning from online guides and CTFs. Below is a step-by-step write-up of how I completed Lab 1.

Challenge Description: “My sister's computer crashed. We were very fortunate to recover this memory dump. Your job is get all her important files from the system. From what we remember, we suddenly saw a black window pop up with some thing being executed. When the crash happened, she was trying to draw something. Thats all we remember from the time of crash. Note: This challenge is composed of 3 flags.”

I started by identifying which memory profile to use: 

volatility.exe -f MemoryDump_Lab1.raw imageinfo 

Which tells us that the suggested profiles are:  

Win7SP1x64, Win7SP0x64, Win2008R2SP0x64, Win2008R2SP1x64_24000, Win2008R2SP1x64_23418, Win2008R2SP1x64, Win7SP1x64_24000, Win7SP1x64_23418 

Next, I look at which processes are running.  

volatility.exe -f MemoryDump_Lab1.raw --profile=Win7SP1x64 pslist 

A couple of processes look interesting: 

Offset(V)          Name                    PID   PPID   Thds     Hnds   Sess  Wow64 Start                           

0xfffffa8001010b30 WinRAR.exe             1512   2504      6      207      2      0 2019-12-11 14:37:23 UTC+0000 

0xfffffa80022bab30 mspaint.exe            2424    604      6      128      1      0 2019-12-11 14:35:14 UTC+0000 

The scenario details mention a black box popping up which sounds like a command prompt so I’m also interested in the cmdline and consoles output. 

volatility.exe -f MemoryDump_Lab1.raw --profile=Win7SP1x64 cmdline  

One entry in particular looked interesting, especially given our interest in WinRAR.exe: 

WinRAR.exe pid:   1512 

Command line : "C:\Program Files\WinRAR\WinRAR.exe" "C:\Users\Alissa Simpson\Documents\Important.rar" 

The consoles command also provides some useful data: 

volatility.exe -f MemoryDump_Lab1.raw --profile=Win7SP1x64 consoles 

This snippet from the output appears to contain some base64 encoded data: 

C:\Users\SmartNet>St4G3$1 

ZmxhZ3t0aDFzXzFzX3RoM18xc3Rfc3Q0ZzMhIX0= 

I decoded this with CyberChef which returned: flag{th1s_1s_th3_1st_st4g3!!} 

Now, on to the interesting file “Important.rar”. I ran filescan and sent the output to a text file: 

volatility.exe -f MemoryDump_Lab1.raw --profile=Win7SP1x64 filescan >filescan.txt 

Searching within filescan.txt for “Important.rar” gives me it’s offset: 

Offset(P)            #Ptr   #Hnd Access Name 

0x000000003fa3ebc0      1      0 R--r-- \Device\HarddiskVolume2\Users\Alissa Simpson\Documents\Important.rar 

I used dumpfiles with the offset shown above to extract the file: 

volatility.exe -f MemoryDump_Lab1.raw --profile=Win7SP1x64 dumpfiles –D./ExtractedFiles -Q 0x000000003fa3ebc0 –n 

 “Important.rar” contains a file “flag3.png” along with the text “Password is NTLM hash(in uppercase) of Alissa's account passwd.” 

So, in order to find the NTLM hashes I need to know where the SAM and SYSTEM registry hives are. These can be found with the hivelist command: 

volatility.exe -f MemoryDump_Lab1.raw --profile=Win7SP1x64 hivelist 

Which returns the offsets of the hives: 

Virtual            Physical           Name 

0xfffff8a000024010 0x00000000276a4010 \REGISTRY\MACHINE\SYSTEM 

0xfffff8a0014e9010 0x000000001d7ed010 \SystemRoot\System32\Config\SAM 

Now I can provide these offsets to the hashdump command: 

volatility.exe -f MemoryDump_Lab1.raw --profile=Win7SP1x64 hashdump -y 0xfffff8a000024010 -s 0xfffff8a0014e9010 

This returns hashes for all the users but I am only interested in Alissa’s:  

Alissa Simpson:1003:aad3b435b51404eeaad3b435b51404ee:f4ff64c8baac57d22f22edc681055ba6::: 

I used CyberChef to quickly transform this string to uppercase and then it opens flag3.png which contains the text “flag{w311_3rd_stage_was_easy}”: 

 

That still leaves stage 2.....I suspected it was something to do with whatever was being drawn in mspaint.exe at the time of the crash. I had also processed the memory dump in AXIOM so I extracted the memory associated with mspaint.exe (AXIOM applies the memdump command) and its open files (AXIOM applies the dumpfiles command). I ran these back through AXIOM in the hope that some relevant images would be carved but didn’t find anything. Since I was stuck, I started Googling and found this post by MalBot who in turn had used a post by w00tsec to find the image needed. I suggest reading their posts for details of the method but I was able to replicate it (with slightly different values for offset and width) and find the 2nd flag: 

 

Importing this and flipping the image vertically gives the flag “flag{G00d_BOY_good_girL_}”: 

 

Summary of flags: 

• flag{th1s_1s_th3_1st_st4g3!!} 
• flag{G00d_BOY_good_girL_} 
• flag{w311_3rd_stage_was_easy}