MemLabs: Lab 4 - Obsession (“Medium”)

29 June 2020

From https://github.com/stuxnet999/MemLabs: "MemLabs is an educational, introductory set of CTF-styled challenges which is aimed to encourage students, security researchers and also CTF players to get started with the field of Memory Forensics."

I'm a beginner when it comes to memory forensics- over the last few months I've been learning from online guides and CTFs. Below is a step-by-step write-up of how I completed Lab 4.

Challenge Description: “My system was recently compromised. The Hacker stole a lot of information but he also deleted a very important file of mine. I have no idea on how to recover it. The only evidence we have, at this point of time is this memory dump. Please help me. Note: This challenge is composed of only 1 flag. The flag format for this lab is: inctf{s0me_l33t_Str1ng}” 

I started by identifying which memory profile to use: 

volatility.exe -f MemoryDump_Lab4.raw imageinfo 

Which tells us that the suggested profiles are: 

Win7SP1x64, Win7SP0x64, Win2008R2SP0x64, Win2008R2SP1x64_24000, Win2008R2SP1x64_23418, Win2008R2SP1x64, Win7SP1x64_24000, Win7SP1x64_23418 

From pslist I see one process of particular interest: 

Offset(V)          Name                    PID   PPID   Thds     Hnds   Sess  Wow64 Start 

0xfffffa8000f18b30 StikyNot.exe           2432   3012     10      137      2      0 2019-06-29 07:29:37 UTC+0000 

The contents of sticky notes are saved in .snt files so, in order to look for these, I ran filescan and sent the output to a text file: 

volatility.exe -f MemoryDump_Lab4.raw --profile=Win7SP1x64 filescan > filescan.txt 

Within filescan.txt I searched for “.snt” and found one match: 

Offset(P)            #Ptr   #Hnd Access Name  

0x000000003fd40910     17      1 RW-r-- \Device\HarddiskVolume2\Users\SlimShady\AppData\Roaming\Microsoft\Sticky Notes\StickyNotes.snt 

I extracted this file with dumpfiles: 

volatility.exe -f MemoryDump_Lab4.raw --profile=Win7SP0x86 dumpfilesD ./StickyNotes -Q 0x000000003fd40910 –n 

Opening with "Structured Storage Viewer" gave some human readable text: "The clipboard plugin works well but doesn't give the flag :P ". It turns out that AXIOM also parses this file and previews it very nicely as an “RTF Document” under “Documents”: 

 

I spent a while looking at the output of the clipboard command fruitlessly. Even if it doesn’t give the flag I thought perhaps it provides a clue or a stepping stone? I couldn’t find anything useful so I decided to move on. Having processed the memory dump in AXIOM I browsed for notable files. The IE History, LNK files and Recently Accessed Files/Folders artefacts were particularly useful. This is where I noted “Important.txt” on two users' desktops: 

“C:\Users\SlimShady\Desktop\Important.txt” and “C:\Users\eminem\Desktop\Important.txt” 

This file is noted in filescan.txt: 

Offset(P)            #Ptr   #Hnd Access Name 

0x000000003fc398d0     16      0 R--rw- \Device\HarddiskVolume2\Users\SlimShady\Desktop\Important.txt 

However, dumpfiles fails to extract it. From the challenge description we know that the file(s) of interest were deleted so I looked in filescan.txt for RecycleBin entries or $I/$R files without any luck. I tried extracting the $MFT using dumpfiles and parsing it with MFTDump but this was unsuccessful. When researching MFT extraction with Volatility I found a reference to the mftparser command which achieved what I had been trying to do: 

volatility.exe -f MemoryDump_Lab4.raw --profile=Win7SP1x64 mftparser > mft.txt 

Searching for “Important.txt” within the output “mft.txt” shows us that the file is resident in the MFT: 

 

Taking the contents of $DATA and removing spaces/line breaks gives "inctf{1_is_n0t_EQu4l_7o_2_bUt_th1s_d0s3nt_m4ke_s3ns3} Good work :P" 

Summary of flags: 

  • inctf{1_is_n0t_EQu4l_7o_2_bUt_th1s_d0s3nt_m4ke_s3ns3}

Popular posts from this blog

Parsing iOS Camera Roll using Python