MemLabs: Lab 3 – The Evil’s Den (“Easy- Medium”)

By

29 June 2020


From https://github.com/stuxnet999/MemLabs: "MemLabs is an educational, introductory set of CTF-styled challenges which is aimed to encourage students, security researchers and also CTF players to get started with the field of Memory Forensics."

I'm a beginner when it comes to memory forensics- over the last few months I've been learning from online guides and CTFs. Below is a step-by-step write-up of how I completed Lab 3.

Challenge Description: “A malicious script encrypted a very secret piece of information I had on my system. Can you recover the information for me please? Note: This challenge is composed of only 1 flag and split into 2 parts. Hint: You'll need the first half of the flag to get the second. You will need this additional tool to solve the challenge [$ sudo apt install steghide]. The flag format for this lab is: inctf{s0me_l33t_Str1ng}.” 

I started by identifying which memory profile to use: 

volatility.exe -f MemoryDump_Lab3.raw imageinfo 

Which tells us that the suggested profiles are: Win7SP1x86_23418, Win7SP0x86, Win7SP1x86_24000, Win7SP1x86  I had a few issues choosing the correct profile here which I suspect were user error rather than part of the challenge. I ended up using Win7SP0x86 which seemed to work well.  

Pslist doesn’t show anything immediately suspicious. I thought the use of notepad might be worth looking into later: 

Offset(V)  Name                    PID   PPID   Thds     Hnds   Sess  Wow64 Start 

0x9c6b0970 notepad.exe            3736   5300      1       60      1      0 2018-09-30 09:47:49 UTC+0000 

0x8443d3c0 notepad.exe            3432   5300      1       60      1      0 2018-09-30 09:47:50 UTC+0000 

Looking at the command line usage identifies 2 files of interest and indicates why notepad may have been open: 

volatility.exe -f MemoryDump_Lab3.raw --profile=Win7SP0x86 cmdline 

Snippet of results: 

************************************************************************ 

notepad.exe pid:   3736 

Command line : "C:\Windows\system32\NOTEPAD.EXE" C:\Users\hello\Desktop\evilscript.py 

************************************************************************ 

notepad.exe pid:   3432 

Command line : "C:\Windows\system32\NOTEPAD.EXE" C:\Users\hello\Desktop\vip.txt 

I ran filescan and sent the results to a text file: 

volatility.exe -f MemoryDump_Lab3.raw --profile=Win7SP0x86 filescan > filescan.txt 

Searching filescan.txt for “evilscript.py” and “vip.txt” provides their offsets: 

Offset(P)            #Ptr   #Hnd Access Name 

0x000000003de1b5f0      8      0 R--rw- \Device\HarddiskVolume2\Users\hello\Desktop\evilscript.py.py 

0x000000003e727e50      8      0 -W-rw- \Device\HarddiskVolume2\Users\hello\Desktop\vip.txt 

These offsets can then be used with dumpfiles to extract the files: 

volatility.exe -f MemoryDump_Lab3.raw --profile=Win7SP0x86 dumpfilesD ./Notable -Q 0x000000003de1b5f0 -n 

volatility.exe -f MemoryDump_Lab3.raw --profile=Win7SP0x86 dumpfilesD ./Notable -Q 0x000000003e727e50 –n 

The contents of “vip.txt” is “am1gd2V4M20wXGs3b2U=”. Converting this from base64 gives “jm`wex3m0\k7oe”- not immediately useful.... 

On to “evilscript.py.py”. This contained the following python script: 

 

I can see that this script is writing to “vip.txt” but to work out what else it is doing I needed to Google some of the functions: 

  • sys.argv[1] refers to the first command line argument provided to the script 
  • ord() returns an integer representing the Unicode character provided as a string e.g. ord('a')=97 
  • chr() returns a character (as a string) whose Unicode code point is the integer provided e.g. chr(ord('a')) = 'a' 
  • ^ symbol means XOR 

So, what this script is doing is: 

  • Take command line argument 
  • XOR each character with 3 
  • Base64 encode the result 
  • Write the output into “vip.txt” 

Since I know that “vip.txt” contains “am1gd2V4M20wXGs3b2U=” I can perform the reverse actions in CyberChef and find the flag inctf{0n3_h4lf 

 

To find the next flag I should need to use StegHide, as per the advice in the challenge description. Steghide supports JPEG, BMP, WAV and AU files so I looked for these files in filescan.txt. The following file was notable: 

Offset(P)            #Ptr   #Hnd Access Name 

0x0000000004f34148      2      0 RW---- \Device\HarddiskVolume2\Users\hello\Desktop\suspision1.jpeg 

I extracted this file using dumpfiles: 

volatility.exe -f MemoryDump_Lab3.raw --profile=Win7SP0x86 dumpfilesD ./Steg -Q 0x000000003de1b5f0 –n 

And opened it with StegHide, using the previous flag as the password: 

steghide extract -sf "<filepath>\MemLabs CTFs\Lab3\Steg \file.None.0x843fcf38.suspision1.jpeg.dat.jpeg" 

This outputs a file called “secret text” which contains the flag “_1s_n0t_3n0ugh} 

Summary of flags: 

  • inctf{0n3_h4lf 
  • _1s_n0t_3n0ugh}

Popular posts from this blog

MemLabs: Lab 2 – A New World (“Easy”)

By
Image
29 June 2020 From https://github.com/stuxnet999/MemLabs : "MemLabs is an educational, introductory set of CTF-styled challenges which is aimed to encourage students, security researchers and also CTF players to get started with the field of Memory Forensics." I'm a beginner when it comes to memory forensics- over the last few months I've been learning from online guides and CTFs. Below is a step-by-step write-up of how I completed Lab 2.
Read more

MemLabs: Lab 1- Beginner's Luck (“Easy”)

By
Image
29 June 2020 From https://github.com/stuxnet999/MemLabs : "MemLabs is an educational, introductory set of CTF-styled challenges which is aimed to encourage students, security researchers and also CTF players to get started with the field of Memory Forensics." I'm a beginner when it comes to memory forensics- over the last few months I've been learning from online guides and CTFs. Below is a step-by-step write-up of how I completed Lab 1.
Read more

I can't remember my password! (dfchallenge.org CTF Write-Up)

By
Image
This is a write-up of a CTF from dfchallenge.org called "I can't remember my password...T_T" I pursued quite a few dead ends but I've left many of these in because I think they give some context to my thought processes. As well as being a really good challenge digging into NTFS artefacts it also forced me to find alternatives to some of the licenced tools I would usually use but don't have access to at the moment. There is a short TLDR right at the bottom if you're in a hurry! 😜 The scenario: "Michael uses USB to save the file that records password of VPN service that can access to company’s server. One day, he accidentally deleted the folder where the password file was saved on business travel, and he became unable to access the company VPN. Recover the deleted password file on USB and find out the VPN password." The data: system.L01 (MD5: 4ac03fcddce09e122a682da5a3d09fdd) usb.dd (MD5: 4431d5f9e51d6d55f5f58dfe92d42348) The tools I used (on my Wi...
Read more