MemLabs: Lab 5 – Black Tuesday (“Medium-Hard”)
From https://github.com/stuxnet999/MemLabs: "MemLabs is an educational, introductory set of CTF-styled challenges which is aimed to encourage students, security researchers and also CTF players to get started with the field of Memory Forensics."
I'm a beginner when it comes to memory forensics- over the last few months I've been learning from online guides and CTFs. Below is a step-by-step write-up of how I completed Lab 5.
Challenge Description: “This challenge is composed of 2 flags but do you really think so? Maybe a little flag is hiding somewhere. Note: There was a small mistake when making this challenge. If you find any string which has the string "L4B_3_D0n3!!" in it, please change it to "L4B_5_D0n3!!" and then proceed. Hint: You'll get the stage 2 flag only when you have the stage 1 flag.”
I started by identifying which memory profile to use:
volatility.exe -f MemoryDump_Lab5.raw imageinfo
Which tells us that the suggested profiles are:
Win7SP1x64, Win7SP0x64, Win2008R2SP0x64, Win2008R2SP1x64_24000, Win2008R2SP1x64_23418, Win2008R2SP1x64, Win7SP1x64_24000, Win7SP1x64_23418
The psxview command shows several notepad instances, including some hidden ones:
Offset(P) Name PID pslist psscan thrdproc pspcid csrss session deskthrd
0x000000003fb68b30 NOTEPAD.EXE 2724 False True False False False False False
0x000000003fb94060 notepad.exe 2744 False True False False False False False
0x000000003fab8060 notepad.exe 2744 True True True True True True False
0x000000003fd02b30 NOTEPAD.EXE 2056 True True True False False True False
The output from the cmdline command points towards a file of interest:
WinRAR.exe pid: 2924
Command line : "C:\Program Files\WinRAR\WinRAR.exe" "C:\Users\SmartNet\Documents\SW1wb3J0YW50.rar
I ran filescan and sent the results to a text file:
volatility.exe -f MemoryDump_Lab5.raw --profile=Win7SP1x64 filescan > filescan.txt
The output shows the offset of the .rar of interest:
Offset(P) #Ptr #Hnd Access Name
0x000000003eed56f0 1 0 R--r-- \Device\HarddiskVolume2\Users\SmartNet\Documents\SW1wb3J0YW50.rar
I dumped this file with dumpfiles:
volatility.exe -f MemoryDump_Lab5.raw --profile=Win7SP1x64 dumpfiles –D ./rar -Q 0x000000003eed56f0 -n
“SW1wb3J0YW50.rar” contains “Stage2.png” which is password protected. I have clearly skipped Stage 1 so I need to go back and find the password for this image.
Having processed the memory dump in AXIOM I started browsing through the artefacts and noted a number of potentially interesting entries in the IE History e.g.
- C:\Users\SmartNet\Desktop\St4g3$1.txt
- C:\Users\SmartNet\Desktop\St4g3$1.bat.txt
- C:\Users\SmartNet\Desktop\st4G3$$1.txt
- C:\Users\Alissa Simpson\stAg3_5.txt
- C:\Users\Alissa Simpson\Documents\Important.rar
- C:\Users\Alissa Simpson\Pictures\Password.png
- C:\Users\SmartNet\Documents\New Text Document.txt
- Z:\MemLabs-Files\Lab-2\Password.png
- C:/Users/Alissa Simpson/Pictures/ZmxhZ3shIV93M0xMX2QwbjNfU3Q0ZzMtMV8wZl9MNEJfNV9EMG4zXyEhfQ.bmp
But unfortunately, none of these files could be found in the filescan output and dumped out. Looking at the filenames, most appear relevant to previous labs however the final bmp is unusually named. Decoding this filename from base64 gives “flag{!!_w3LL_d0n3_St4g3-1_0f_L4B_5_D0n3_!!}”
If we go back to “SW1wb3J0YW50.rar” and Stage2.png it is now possible to open the file using “flag{!!_w3LL_d0n3_St4g3-1_0f_L4B_5_D0n3_!!}” as the password:
The final flag is “flag{W1th_th1s_$taG2_2_1s_c0mPL3T3_!!}”.
Summary of flags:
- flag{!!_w3LL_d0n3_St4g3-1_0f_L4B_5_D0n3_!!}
- flag{W1th_th1s_$taG2_2_1s_c0mPL3T3_!!}
