MemLabs: Lab 5 – Black Tuesday (“Medium-Hard”)

By
29 June 2020

From https://github.com/stuxnet999/MemLabs: "MemLabs is an educational, introductory set of CTF-styled challenges which is aimed to encourage students, security researchers and also CTF players to get started with the field of Memory Forensics."

I'm a beginner when it comes to memory forensics- over the last few months I've been learning from online guides and CTFs. Below is a step-by-step write-up of how I completed Lab 5.

Challenge Description: “This challenge is composed of 2 flags but do you really think so? Maybe a little flag is hiding somewhere. Note: There was a small mistake when making this challenge. If you find any string which has the string "L4B_3_D0n3!!" in it, please change it to "L4B_5_D0n3!!" and then proceed. Hint: You'll get the stage 2 flag only when you have the stage 1 flag.” 

I started by identifying which memory profile to use: 

volatility.exe -f MemoryDump_Lab5.raw imageinfo 

Which tells us that the suggested profiles are: 

Win7SP1x64, Win7SP0x64, Win2008R2SP0x64, Win2008R2SP1x64_24000, Win2008R2SP1x64_23418, Win2008R2SP1x64, Win7SP1x64_24000, Win7SP1x64_23418 

The psxview command shows several notepad instances, including some hidden ones: 

Offset(P)          Name                    PID pslist psscan thrdproc pspcid csrss session deskthrd  

0x000000003fb68b30 NOTEPAD.EXE            2724 False  True   False    False  False False   False 

0x000000003fb94060 notepad.exe            2744 False  True   False    False  False False   False 

0x000000003fab8060 notepad.exe            2744 True   True   True     True   True  True    False 

0x000000003fd02b30 NOTEPAD.EXE            2056 True   True   True     False  False True    False  

The output from the cmdline command points towards a file of interest: 

WinRAR.exe pid:   2924 

Command line : "C:\Program Files\WinRAR\WinRAR.exe" "C:\Users\SmartNet\Documents\SW1wb3J0YW50.rar 

I ran filescan and sent the results to a text file: 

volatility.exe -f MemoryDump_Lab5.raw --profile=Win7SP1x64 filescan > filescan.txt 

The output shows the offset of the .rar of interest: 

Offset(P)            #Ptr   #Hnd Access Name 

0x000000003eed56f0      1      0 R--r-- \Device\HarddiskVolume2\Users\SmartNet\Documents\SW1wb3J0YW50.rar 

I dumped this file with dumpfiles: 

volatility.exe -f MemoryDump_Lab5.raw --profile=Win7SP1x64 dumpfilesD ./rar -Q 0x000000003eed56f0 -n 

“SW1wb3J0YW50.rar” contains “Stage2.png” which is password protected. I have clearly skipped Stage 1 so I need to go back and find the password for this image.  

Having processed the memory dump in AXIOM I started browsing through the artefacts and noted a number of potentially interesting entries in the IE History e.g. 

  • C:\Users\SmartNet\Desktop\St4g3$1.txt  
  • C:\Users\SmartNet\Desktop\St4g3$1.bat.txt 
  • C:\Users\SmartNet\Desktop\st4G3$$1.txt 
  • C:\Users\Alissa Simpson\stAg3_5.txt 
  • C:\Users\Alissa Simpson\Documents\Important.rar 
  • C:\Users\Alissa Simpson\Pictures\Password.png 
  • C:\Users\SmartNet\Documents\New Text Document.txt 
  • Z:\MemLabs-Files\Lab-2\Password.png 
  • C:/Users/Alissa Simpson/Pictures/ZmxhZ3shIV93M0xMX2QwbjNfU3Q0ZzMtMV8wZl9MNEJfNV9EMG4zXyEhfQ.bmp

But unfortunately, none of these files could be found in the filescan output and dumped out. Looking at the filenames, most appear relevant to previous labs however the final bmp is unusually named. Decoding this filename from base64 gives “flag{!!_w3LL_d0n3_St4g3-1_0f_L4B_5_D0n3_!!} 

If we go back to “SW1wb3J0YW50.rar” and Stage2.png it is now possible to open the file using “flag{!!_w3LL_d0n3_St4g3-1_0f_L4B_5_D0n3_!!}” as the password: 

 

The final flag is “flag{W1th_th1s_$taG2_2_1s_c0mPL3T3_!!}”. 

Summary of flags: 

  • flag{!!_w3LL_d0n3_St4g3-1_0f_L4B_5_D0n3_!!} 
  • flag{W1th_th1s_$taG2_2_1s_c0mPL3T3_!!}

Popular posts from this blog

Visualising Data with Pandas

By
Image
15 June 2020 As part of my quest to improve my Python skills I've been learning how to visualise data using Pandas. When we parse out large data sets from logs or other artefacts recovered from forensics data it can be difficult to glean real-world meaning from tables and lists of numbers. Visualising this data is extremely useful in understanding the story it tells, more easily spotting patterns or interesting anomalies and answering the crucial questions who, what, when, where and why?
Read more

I can't remember my password! (dfchallenge.org CTF Write-Up)

By
Image
This is a write-up of a CTF from dfchallenge.org called "I can't remember my password...T_T" I pursued quite a few dead ends but I've left many of these in because I think they give some context to my thought processes. As well as being a really good challenge digging into NTFS artefacts it also forced me to find alternatives to some of the licenced tools I would usually use but don't have access to at the moment. There is a short TLDR right at the bottom if you're in a hurry! 😜 The scenario: "Michael uses USB to save the file that records password of VPN service that can access to company’s server. One day, he accidentally deleted the folder where the password file was saved on business travel, and he became unable to access the company VPN. Recover the deleted password file on USB and find out the VPN password." The data: system.L01 (MD5: 4ac03fcddce09e122a682da5a3d09fdd) usb.dd (MD5: 4431d5f9e51d6d55f5f58dfe92d42348) The tools I used (on my Wi
Read more

Parsing iOS Camera Roll using Python

By
Image
I was asked how some images of interest came to be on an iOS camera roll which started me off doing some research into the camera roll. I came across this great blog by forensicmike1 which contained lots of useful info. There is so much information in the Photos.sqlite database! The database can be found here: \private\var\mobile\Media\PhotoData\ Photos.sqlite I decided to try to write a parser to extract some of my fields of interest from Photos.sqlite. I'm a beginner with Python and SQL so I thought this would be a good lock-down project as it would undoubtedly take me ages... For this project I used iOS 13 test data from The Binary Hick My python script is available here . The info I decided I wanted to extract for each item on the camera roll was: Z_PK ZDIRECTORY ZFILENAME ZORIGINALFILENAME ZDURATION ZFAVORITE ZCREATORBUNDLEID (very useful for my original question!) ZEDITORBUNDLEID ZADDEDDATE ZDATECREATED ZMODIFICATIONDATE ZEXIFTIMESTAMPSTRING ZTRASHEDSTATE ZTRASHEDDATE ZTIMEZ
Read more