MemLabs: Lab 5 – Black Tuesday (“Medium-Hard”)

29 June 2020

From "MemLabs is an educational, introductory set of CTF-styled challenges which is aimed to encourage students, security researchers and also CTF players to get started with the field of Memory Forensics."

I'm a beginner when it comes to memory forensics- over the last few months I've been learning from online guides and CTFs. Below is a step-by-step write-up of how I completed Lab 5.

Challenge Description: “This challenge is composed of 2 flags but do you really think so? Maybe a little flag is hiding somewhere. Note: There was a small mistake when making this challenge. If you find any string which has the string "L4B_3_D0n3!!" in it, please change it to "L4B_5_D0n3!!" and then proceed. Hint: You'll get the stage 2 flag only when you have the stage 1 flag.” 

I started by identifying which memory profile to use: 

volatility.exe -f MemoryDump_Lab5.raw imageinfo 

Which tells us that the suggested profiles are: 

Win7SP1x64, Win7SP0x64, Win2008R2SP0x64, Win2008R2SP1x64_24000, Win2008R2SP1x64_23418, Win2008R2SP1x64, Win7SP1x64_24000, Win7SP1x64_23418 

The psxview command shows several notepad instances, including some hidden ones: 

Offset(P)          Name                    PID pslist psscan thrdproc pspcid csrss session deskthrd  

0x000000003fb68b30 NOTEPAD.EXE            2724 False  True   False    False  False False   False 

0x000000003fb94060 notepad.exe            2744 False  True   False    False  False False   False 

0x000000003fab8060 notepad.exe            2744 True   True   True     True   True  True    False 

0x000000003fd02b30 NOTEPAD.EXE            2056 True   True   True     False  False True    False  

The output from the cmdline command points towards a file of interest: 

WinRAR.exe pid:   2924 

Command line : "C:\Program Files\WinRAR\WinRAR.exe" "C:\Users\SmartNet\Documents\SW1wb3J0YW50.rar 

I ran filescan and sent the results to a text file: 

volatility.exe -f MemoryDump_Lab5.raw --profile=Win7SP1x64 filescan > filescan.txt 

The output shows the offset of the .rar of interest: 

Offset(P)            #Ptr   #Hnd Access Name 

0x000000003eed56f0      1      0 R--r-- \Device\HarddiskVolume2\Users\SmartNet\Documents\SW1wb3J0YW50.rar 

I dumped this file with dumpfiles: 

volatility.exe -f MemoryDump_Lab5.raw --profile=Win7SP1x64 dumpfilesD ./rar -Q 0x000000003eed56f0 -n 

“SW1wb3J0YW50.rar” contains “Stage2.png” which is password protected. I have clearly skipped Stage 1 so I need to go back and find the password for this image.  

Having processed the memory dump in AXIOM I started browsing through the artefacts and noted a number of potentially interesting entries in the IE History e.g. 

  • C:\Users\SmartNet\Desktop\St4g3$1.txt  
  • C:\Users\SmartNet\Desktop\St4g3$1.bat.txt 
  • C:\Users\SmartNet\Desktop\st4G3$$1.txt 
  • C:\Users\Alissa Simpson\stAg3_5.txt 
  • C:\Users\Alissa Simpson\Documents\Important.rar 
  • C:\Users\Alissa Simpson\Pictures\Password.png 
  • C:\Users\SmartNet\Documents\New Text Document.txt 
  • Z:\MemLabs-Files\Lab-2\Password.png 
  • C:/Users/Alissa Simpson/Pictures/ZmxhZ3shIV93M0xMX2QwbjNfU3Q0ZzMtMV8wZl9MNEJfNV9EMG4zXyEhfQ.bmp

But unfortunately, none of these files could be found in the filescan output and dumped out. Looking at the filenames, most appear relevant to previous labs however the final bmp is unusually named. Decoding this filename from base64 gives “flag{!!_w3LL_d0n3_St4g3-1_0f_L4B_5_D0n3_!!} 

If we go back to “SW1wb3J0YW50.rar” and Stage2.png it is now possible to open the file using “flag{!!_w3LL_d0n3_St4g3-1_0f_L4B_5_D0n3_!!}” as the password: 


The final flag is “flag{W1th_th1s_$taG2_2_1s_c0mPL3T3_!!}”. 

Summary of flags: 

  • flag{!!_w3LL_d0n3_St4g3-1_0f_L4B_5_D0n3_!!} 
  • flag{W1th_th1s_$taG2_2_1s_c0mPL3T3_!!}

Popular posts from this blog

Parsing iOS Camera Roll using Python