MemLabs: Lab 4 - Obsession (“Medium”)

By
29 June 2020

From https://github.com/stuxnet999/MemLabs: "MemLabs is an educational, introductory set of CTF-styled challenges which is aimed to encourage students, security researchers and also CTF players to get started with the field of Memory Forensics."

I'm a beginner when it comes to memory forensics- over the last few months I've been learning from online guides and CTFs. Below is a step-by-step write-up of how I completed Lab 4.

Challenge Description: “My system was recently compromised. The Hacker stole a lot of information but he also deleted a very important file of mine. I have no idea on how to recover it. The only evidence we have, at this point of time is this memory dump. Please help me. Note: This challenge is composed of only 1 flag. The flag format for this lab is: inctf{s0me_l33t_Str1ng}” 

I started by identifying which memory profile to use: 

volatility.exe -f MemoryDump_Lab4.raw imageinfo 

Which tells us that the suggested profiles are: 

Win7SP1x64, Win7SP0x64, Win2008R2SP0x64, Win2008R2SP1x64_24000, Win2008R2SP1x64_23418, Win2008R2SP1x64, Win7SP1x64_24000, Win7SP1x64_23418 

From pslist I see one process of particular interest: 

Offset(V)          Name                    PID   PPID   Thds     Hnds   Sess  Wow64 Start 

0xfffffa8000f18b30 StikyNot.exe           2432   3012     10      137      2      0 2019-06-29 07:29:37 UTC+0000 

The contents of sticky notes are saved in .snt files so, in order to look for these, I ran filescan and sent the output to a text file: 

volatility.exe -f MemoryDump_Lab4.raw --profile=Win7SP1x64 filescan > filescan.txt 

Within filescan.txt I searched for “.snt” and found one match: 

Offset(P)            #Ptr   #Hnd Access Name  

0x000000003fd40910     17      1 RW-r-- \Device\HarddiskVolume2\Users\SlimShady\AppData\Roaming\Microsoft\Sticky Notes\StickyNotes.snt 

I extracted this file with dumpfiles: 

volatility.exe -f MemoryDump_Lab4.raw --profile=Win7SP0x86 dumpfilesD ./StickyNotes -Q 0x000000003fd40910 –n 

Opening with "Structured Storage Viewer" gave some human readable text: "The clipboard plugin works well but doesn't give the flag :P ". It turns out that AXIOM also parses this file and previews it very nicely as an “RTF Document” under “Documents”: 

 

I spent a while looking at the output of the clipboard command fruitlessly. Even if it doesn’t give the flag I thought perhaps it provides a clue or a stepping stone? I couldn’t find anything useful so I decided to move on. Having processed the memory dump in AXIOM I browsed for notable files. The IE History, LNK files and Recently Accessed Files/Folders artefacts were particularly useful. This is where I noted “Important.txt” on two users' desktops: 

“C:\Users\SlimShady\Desktop\Important.txt” and “C:\Users\eminem\Desktop\Important.txt” 

This file is noted in filescan.txt: 

Offset(P)            #Ptr   #Hnd Access Name 

0x000000003fc398d0     16      0 R--rw- \Device\HarddiskVolume2\Users\SlimShady\Desktop\Important.txt 

However, dumpfiles fails to extract it. From the challenge description we know that the file(s) of interest were deleted so I looked in filescan.txt for RecycleBin entries or $I/$R files without any luck. I tried extracting the $MFT using dumpfiles and parsing it with MFTDump but this was unsuccessful. When researching MFT extraction with Volatility I found a reference to the mftparser command which achieved what I had been trying to do: 

volatility.exe -f MemoryDump_Lab4.raw --profile=Win7SP1x64 mftparser > mft.txt 

Searching for “Important.txt” within the output “mft.txt” shows us that the file is resident in the MFT: 

 

Taking the contents of $DATA and removing spaces/line breaks gives "inctf{1_is_n0t_EQu4l_7o_2_bUt_th1s_d0s3nt_m4ke_s3ns3} Good work :P" 

Summary of flags: 

  • inctf{1_is_n0t_EQu4l_7o_2_bUt_th1s_d0s3nt_m4ke_s3ns3}

Popular posts from this blog

Visualising Data with Pandas

By
Image
15 June 2020 As part of my quest to improve my Python skills I've been learning how to visualise data using Pandas. When we parse out large data sets from logs or other artefacts recovered from forensics data it can be difficult to glean real-world meaning from tables and lists of numbers. Visualising this data is extremely useful in understanding the story it tells, more easily spotting patterns or interesting anomalies and answering the crucial questions who, what, when, where and why?
Read more

I can't remember my password! (dfchallenge.org CTF Write-Up)

By
Image
This is a write-up of a CTF from dfchallenge.org called "I can't remember my password...T_T" I pursued quite a few dead ends but I've left many of these in because I think they give some context to my thought processes. As well as being a really good challenge digging into NTFS artefacts it also forced me to find alternatives to some of the licenced tools I would usually use but don't have access to at the moment. There is a short TLDR right at the bottom if you're in a hurry! 😜 The scenario: "Michael uses USB to save the file that records password of VPN service that can access to company’s server. One day, he accidentally deleted the folder where the password file was saved on business travel, and he became unable to access the company VPN. Recover the deleted password file on USB and find out the VPN password." The data: system.L01 (MD5: 4ac03fcddce09e122a682da5a3d09fdd) usb.dd (MD5: 4431d5f9e51d6d55f5f58dfe92d42348) The tools I used (on my Wi
Read more

MemLabs: Lab 5 – Black Tuesday (“Medium-Hard”)

By
Image
29 June 2020 From https://github.com/stuxnet999/MemLabs : "MemLabs is an educational, introductory set of CTF-styled challenges which is aimed to encourage students, security researchers and also CTF players to get started with the field of Memory Forensics." I'm a beginner when it comes to memory forensics- over the last few months I've been learning from online guides and CTFs. Below is a step-by-step write-up of how I completed Lab 5.
Read more