MemLabs: Lab 3 – The Evil’s Den (“Easy- Medium”)

29 June 2020


From https://github.com/stuxnet999/MemLabs: "MemLabs is an educational, introductory set of CTF-styled challenges which is aimed to encourage students, security researchers and also CTF players to get started with the field of Memory Forensics."

I'm a beginner when it comes to memory forensics- over the last few months I've been learning from online guides and CTFs. Below is a step-by-step write-up of how I completed Lab 3.

Challenge Description: “A malicious script encrypted a very secret piece of information I had on my system. Can you recover the information for me please? Note: This challenge is composed of only 1 flag and split into 2 parts. Hint: You'll need the first half of the flag to get the second. You will need this additional tool to solve the challenge [$ sudo apt install steghide]. The flag format for this lab is: inctf{s0me_l33t_Str1ng}.” 

I started by identifying which memory profile to use: 

volatility.exe -f MemoryDump_Lab3.raw imageinfo 

Which tells us that the suggested profiles are: Win7SP1x86_23418, Win7SP0x86, Win7SP1x86_24000, Win7SP1x86  I had a few issues choosing the correct profile here which I suspect were user error rather than part of the challenge. I ended up using Win7SP0x86 which seemed to work well.  

Pslist doesn’t show anything immediately suspicious. I thought the use of notepad might be worth looking into later: 

Offset(V)  Name                    PID   PPID   Thds     Hnds   Sess  Wow64 Start 

0x9c6b0970 notepad.exe            3736   5300      1       60      1      0 2018-09-30 09:47:49 UTC+0000 

0x8443d3c0 notepad.exe            3432   5300      1       60      1      0 2018-09-30 09:47:50 UTC+0000 

Looking at the command line usage identifies 2 files of interest and indicates why notepad may have been open: 

volatility.exe -f MemoryDump_Lab3.raw --profile=Win7SP0x86 cmdline 

Snippet of results: 

************************************************************************ 

notepad.exe pid:   3736 

Command line : "C:\Windows\system32\NOTEPAD.EXE" C:\Users\hello\Desktop\evilscript.py 

************************************************************************ 

notepad.exe pid:   3432 

Command line : "C:\Windows\system32\NOTEPAD.EXE" C:\Users\hello\Desktop\vip.txt 

I ran filescan and sent the results to a text file: 

volatility.exe -f MemoryDump_Lab3.raw --profile=Win7SP0x86 filescan > filescan.txt 

Searching filescan.txt for “evilscript.py” and “vip.txt” provides their offsets: 

Offset(P)            #Ptr   #Hnd Access Name 

0x000000003de1b5f0      8      0 R--rw- \Device\HarddiskVolume2\Users\hello\Desktop\evilscript.py.py 

0x000000003e727e50      8      0 -W-rw- \Device\HarddiskVolume2\Users\hello\Desktop\vip.txt 

These offsets can then be used with dumpfiles to extract the files: 

volatility.exe -f MemoryDump_Lab3.raw --profile=Win7SP0x86 dumpfilesD ./Notable -Q 0x000000003de1b5f0 -n 

volatility.exe -f MemoryDump_Lab3.raw --profile=Win7SP0x86 dumpfilesD ./Notable -Q 0x000000003e727e50 –n 

The contents of “vip.txt” is “am1gd2V4M20wXGs3b2U=”. Converting this from base64 gives “jm`wex3m0\k7oe”- not immediately useful.... 

On to “evilscript.py.py”. This contained the following python script: 

 

I can see that this script is writing to “vip.txt” but to work out what else it is doing I needed to Google some of the functions: 

  • sys.argv[1] refers to the first command line argument provided to the script 
  • ord() returns an integer representing the Unicode character provided as a string e.g. ord('a')=97 
  • chr() returns a character (as a string) whose Unicode code point is the integer provided e.g. chr(ord('a')) = 'a' 
  • ^ symbol means XOR 

So, what this script is doing is: 

  • Take command line argument 
  • XOR each character with 3 
  • Base64 encode the result 
  • Write the output into “vip.txt” 

Since I know that “vip.txt” contains “am1gd2V4M20wXGs3b2U=” I can perform the reverse actions in CyberChef and find the flag inctf{0n3_h4lf 

 

To find the next flag I should need to use StegHide, as per the advice in the challenge description. Steghide supports JPEG, BMP, WAV and AU files so I looked for these files in filescan.txt. The following file was notable: 

Offset(P)            #Ptr   #Hnd Access Name 

0x0000000004f34148      2      0 RW---- \Device\HarddiskVolume2\Users\hello\Desktop\suspision1.jpeg 

I extracted this file using dumpfiles: 

volatility.exe -f MemoryDump_Lab3.raw --profile=Win7SP0x86 dumpfilesD ./Steg -Q 0x000000003de1b5f0 –n 

And opened it with StegHide, using the previous flag as the password: 

steghide extract -sf "<filepath>\MemLabs CTFs\Lab3\Steg \file.None.0x843fcf38.suspision1.jpeg.dat.jpeg" 

This outputs a file called “secret text” which contains the flag “_1s_n0t_3n0ugh} 

Summary of flags: 

  • inctf{0n3_h4lf 
  • _1s_n0t_3n0ugh}

Popular posts from this blog

Parsing iOS Camera Roll using Python