MemLabs: Lab 2 – A New World (“Easy”)

29 June 2020

From https://github.com/stuxnet999/MemLabs: "MemLabs is an educational, introductory set of CTF-styled challenges which is aimed to encourage students, security researchers and also CTF players to get started with the field of Memory Forensics."

I'm a beginner when it comes to memory forensics- over the last few months I've been learning from online guides and CTFs. Below is a step-by-step write-up of how I completed Lab 2.

Challenge Description: “One of the clients of our company, lost the access to his system due to an unknown error. He is supposedly a very popular "environmental" activist. As a part of the investigation, he told us that his go to applications are browsers, his password managers etc. We hope that you can dig into this memory dump and find his important stuff and give it back to us. Note: This challenge is composed of 3 flags.” 

I started by identifying which memory profile to use: 

volatility.exe -f MemoryDump_Lab2.raw imageinfo 

Which tells us that the suggested profiles are: 

Win7SP1x64, Win7SP0x64, Win2008R2SP0x64, Win2008R2SP1x64_24000, Win2008R2SP1x64_23418, Win2008R2SP1x64, Win7SP1x64_24000, Win7SP1x64_23418 

Since “environmental” is quoted in the scenario I ran envars to look at the environment variables: 

volatility.exe -f MemoryDump_Lab2.raw --profile=Win7SP1x64 envars 

This contains some data which looks base64 encoded: 

320 csrss.exe 

0x0000000000481320  

NEW_TMP                         

C:\Windows\ 

ZmxhZ3t3M2xjMG0zX1QwXyRUNGczXyFfT2ZfTDRCXzJ9 

Using CyberChef I decoded “ZmxhZ3t3M2xjMG0zX1QwXyRUNGczXyFfT2ZfTDRCXzJ9” from Base64 to give: “flag{w3lc0m3_T0_$T4g3_!_Of_L4B_2}” 

Looking at running processes with pslist gives us a few further leads to follow: 

Offset(V)          Name                    PID   PPID   Thds     Hnds   Sess  Wow64 Start 

0xfffffa80022e5950 cmd.exe                2096   2664      1       19      2      0 2019-12-14 10:36:35 UTC+0000 

0xfffffa800224a8c0 KeePass.exe            3008   1064     12      316      1      0 2019-12-14 10:37:56 UTC+0000 

0xfffffa80011956a0 notepad.exe            3260   3180      1       61      1      0 2019-12-14 10:38:20 UTC+0000 

0xfffffa8002109b30 chrome.exe             2296   2664     27      658      2      0 2019-12-14 10:36:45 UTC+0000 

0xfffffa8001cc7a90 chrome.exe             2304   2296      8       71      2      0 2019-12-14 10:36:45 UTC+0000 

0xfffffa8000eea7a0 chrome.exe             2476   2296      2       55      2      0 2019-12-14 10:36:46 UTC+0000 

0xfffffa8000ea2b30 chrome.exe             2964   2296     13      295      2      0 2019-12-14 10:36:47 UTC+0000 

0xfffffa8000fae6a0 chrome.exe             2572   2296      8      177      2      0 2019-12-14 10:36:56 UTC+0000 

0xfffffa800230eb30 chrome.exe             1632   2296     14      219      2      0 2019-12-14 10:37:12 UTC+0000 

Since cmd.exe is running I started by looking at this. Cmdscan output included Cmd #0 @ 0x3db330: Nothing here kids :) and consoles didn’t return anything of interest. The cmdline output was more useful: 

volatility.exe -f MemoryDump_Lab2.raw --profile=Win7SP1x64 cmdline 

This contained some references to “Hidden.kdbx”: 

************************************************************************  

KeePass.exe pid:   3008 

Command line : "C:\Program Files (x86)\KeePass Password Safe 2\KeePass.exe" "C:\Users\SmartNet\Secrets\Hidden.kdbx" 

************************************************************************ 

notepad.exe pid:   3260 

Command line : "C:\Windows\system32\NOTEPAD.EXE" C:\Users\SmartNet\Secrets\Hidden.kdbx 

I ran the filescan command and sent the output to a text file: 

volatility.exe -f MemoryDump_Lab2.raw --profile=Win7SP1x64 filescan > filescan.txt 

Searching for “Hidden.kdbx” within filescan.txt gives me the offset of the file: 

Offset(P)            #Ptr   #Hnd Access Name 

0x000000003fb112a0     16      0 R--r-- \Device\HarddiskVolume2\Users\SmartNet\Secrets\Hidden.kdbx 

Then I used this offset to extract the file using dumpfiles: 

volatility.exe -f MemoryDump_Lab2.raw --profile=Win7SP1x64 dumpfiles –D ./KeePass -Q 0x000000003fb112a0 -n 

.kdbx files are used by KeePass to store the user’s passwords. I downloaded KeePass which will open this file but requires a master password to do so.  

Looking through filescan.txt I also noticed “password.png” (\Device\HarddiskVolume2\Users\Alissa Simpson\Pictures\Password.png) and extracted it via the same method. The picture contains a password in the bottom right corner: 

 

This allowed me to access “Hidden.kdbx” and copy out the password associated with the username “Flag” which was “flag{w0w_th1s_1s_Th3_SeC0nD_ST4g3_!!}” : 

 

Since browsers were specifically mentioned in the initial scenario, I turned my attention to Chrome for the final flag. I searched in filescan.txt for Chrome data and found “\Device\HarddiskVolume2\Users\SmartNet\AppData\Local\Google\Chrome\User Data\Default\History”. I used dumpfiles to extract this file using the offset from filescan.txt and opened it with DB browser. In the URLs table I noticed this MEGA link: 

This link hosts “Important.zip” which contains “Important.png” and the text “Password is SHA1 (stage-3-FLAG) from Lab-1 (lowercase)”.   

The stage 3 flag from lab 1 was “flag{w311_3rd_stage_was_easy}” so I put this into CyberChef to calculate the SHA1 which was: 6045dd90029719a039fd2d2ebcca718439dd100a. This opens “Important.png” which contains the text “flag{oK_So_Now_st4g3_3_is_DoNE!!}”: 

 

Summary of flags: 

• flag{w3lc0m3_T0_$T4g3_!_Of_L4B_2} 
• flag{w0w_th1s_1s_Th3_SeC0nD_ST4g3_!!} 
• flag{oK_So_Now_st4g3_3_is_DoNE!!}