The memory dump to analyze can be found at this address: https://mega.nz/#!sh8wmCIL!b4tpech4wzc3QQ6YgQ2uZnOmctRZ2duQxDqxbkWYipQ
1 - What the password?
The first thing to do with a memory dump: determine which OS is it and which version of the OS. Volatility needs those information to properly parse the memory:
1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
| $ vol.py --plugins=plug_vol/ -f usr_land/OtterCTF.vmem imageinfo
Volatility Foundation Volatility Framework 2.6.1
INFO : volatility.debug : Determining profile based on KDBG search...
Suggested Profile(s) : Win7SP1x64, Win7SP0x64, Win2008R2SP0x64, Win2008R2SP1x64_24000, Win2008R2SP1x64_23418, Win2008R2SP1x64, Win7SP1x64_24000, Win7SP1x64_23418
AS Layer1 : WindowsAMD64PagedMemory (Kernel AS)
AS Layer2 : FileAddressSpace (/opt/usr_land/OtterCTF.vmem)
PAE type : No PAE
DTB : 0x187000L
KDBG : 0xf80002c430a0L
Number of Processors : 2
Image Type (Service Pack) : 1
KPCR for CPU 0 : 0xfffff80002c44d00L
KPCR for CPU 1 : 0xfffff880009ef000L
KUSER_SHARED_DATA : 0xfffff78000000000L
Image date and time : 2018-08-04 19:34:22 UTC+0000
Image local date and time : 2018-08-04 22:34:22 +0300
|
Before continuing, I’m used to redirecting volatility plugins output into files. It will be faster if I need to check information in the future. I call them with the following syntax:
p<plugin name>
For example: for pstree it becomes ppstree
Let’s get started. Finding a user password in a memory dump, there is not a lot of possibilities:
- Cracking NTLM hashes
- Find the password stored into processes
- Find the password stored in a file (the legendary password.txt on the desktop)
Cracking NTLM hashes
1
2
3
4
5
6
| $ vol.py --plugins=plug_vol/ -f usr_land/OtterCTF.vmem --profile=Win7SP1x64 hashdump
Volatility Foundation Volatility Framework 2.6.1
Administrator:500:aad3b435b51404eeaad3b435b51404ee:31d6cfe0d16ae931b73c59d7e0c089c0:::
Guest:501:aad3b435b51404eeaad3b435b51404ee:31d6cfe0d16ae931b73c59d7e0c089c0:::
Rick:1000:aad3b435b51404eeaad3b435b51404ee:518172d012f97d3a8fcc089615283940:::
|
With this, I have tried to break Rick’s NTLM hash on a website like crackstation. After two or three attempts I decided to try the second option: find the password into process memory.
Process, process, my wonderful process
When I spoke about a process, it can be notepad.exe with a piece of text file in memory for example. Or, it can be the Windows “strongbox”: lsass.exe.
Mimikatz is a famous tool used by pentesters and (unfortunately) by malwares. This tool takes advantages of some lsass weaknesses (and many others) to find clear text password in memory.
Volatility plugin has been made:
1
2
3
4
5
6
7
| $ vol.py --plugins=plug_vol/ -f usr_land/OtterCTF.vmem --profile=Win7SP1x64 mimikatz
Volatility Foundation Volatility Framework 2.6.1
Module User Domain Password
-------- ---------------- ---------------- ----------------------------------------
wdigest Rick WIN-LO6FAF3DTFE MortyIsReallyAnOtter
wdigest WIN-LO6FAF3DTFE$ WORKGROUP
|
Great, the password has been found, so we got the flag.
Flag
CTF{MortyIsReallyAnOtter}
2 - General Info
Now, we’re looking for 2 flags: computer’s IP and computer’s name.
Computer name
Computer’s name is really easy to find because mimikatz plugins used previously brought it out: WIN-LO6FAF3DTFE.
So the flag is:
CTF{WIN-LO6FAF3DTFE}
Computer IP
Computer’s IP address will not be much more complicated to find. By default, volatility can list all actives network connections with netscan plugin. This feature allows us to have a netstat view at memory acquisition.
1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
| $ vol.py --plugins=plug_vol/ -f usr_land/OtterCTF.vmem --profile=Win7SP1x64 netscan > pnetscan
$ cat pnetscan
Volatility Foundation Volatility Framework 2.6.1
Offset(P) Proto Local Address Foreign Address State Pid Owner Created
0x7d60f010 UDPv4 0.0.0.0:1900 *:* 2836 BitTorrent.exe 2018-08-04 19:27:17 UTC+0000
0x7d62b3f0 UDPv4 192.168.202.131:6771 *:* 2836 BitTorrent.exe 2018-08-04 19:27:22 UTC+0000
0x7d62f4c0 UDPv4 127.0.0.1:62307 *:* 2836 BitTorrent.exe 2018-08-04 19:27:17 UTC+0000
0x7d62f920 UDPv4 192.168.202.131:62306 *:* 2836 BitTorrent.exe 2018-08-04 19:27:17 UTC+0000
0x7d6424c0 UDPv4 0.0.0.0:50762 *:* 4076 chrome.exe 2018-08-04 19:33:37 UTC+0000
0x7d6b4250 UDPv6 ::1:1900 *:* 164 svchost.exe 2018-08-04 19:28:42 UTC+0000
0x7d6e3230 UDPv4 127.0.0.1:6771 *:* 2836 BitTorrent.exe 2018-08-04 19:27:22 UTC+0000
0x7d6ed650 UDPv4 0.0.0.0:5355 *:* 620 svchost.exe 2018-08-04 19:34:22 UTC+0000
0x7d71c8a0 UDPv4 0.0.0.0:0 *:* 868 svchost.exe 2018-08-04 19:34:22 UTC+0000
0x7d71c8a0 UDPv6 :::0 *:* 868 svchost.exe 2018-08-04 19:34:22 UTC+0000
0x7d74a390 UDPv4 127.0.0.1:52847 *:* 2624 bittorrentie.e 2018-08-04 19:27:24 UTC+0000
0x7d7602c0 UDPv4 127.0.0.1:52846 *:* 2308 bittorrentie.e 2018-08-04 19:27:24 UTC+0000
[...]
|
The most frequent source IP in the output is: 192.168.202.131. Good news, it’s the flag:
CTF{192.168.202.131}
3 - Play time
Again, two flags to find. This time, let’s start to resolve the first flag: game name.
Game name
If Rick plays to something, his process should run:
1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44
45
46
47
48
49
50
51
52
53
54
55
56
57
58
59
60
61
62
63
64
65
66
67
68
| $ vol.py --plugins=plug_vol/ -f usr_land/OtterCTF.vmem --profile=Win7SP1x64 pstree > ppstree
$ cat ppstree
Name Pid PPid Thds Hnds Time
-------------------------------------------------- ------ ------ ------ ------ ----
0xfffffa801b27e060:explorer.exe 2728 2696 33 854 2018-08-04 19:27:04 UTC+0000
. 0xfffffa801b486b30:Rick And Morty 3820 2728 4 185 2018-08-04 19:32:55 UTC+0000
.. 0xfffffa801a4c5b30:vmware-tray.ex 3720 3820 8 147 2018-08-04 19:33:02 UTC+0000
. 0xfffffa801b2f02e0:WebCompanion.e 2844 2728 0 ------ 2018-08-04 19:27:07 UTC+0000
. 0xfffffa801a4e3870:chrome.exe 4076 2728 44 1160 2018-08-04 19:29:30 UTC+0000
.. 0xfffffa801a4eab30:chrome.exe 4084 4076 8 86 2018-08-04 19:29:30 UTC+0000
.. 0xfffffa801a5ef1f0:chrome.exe 1796 4076 15 170 2018-08-04 19:33:41 UTC+0000
.. 0xfffffa801aa00a90:chrome.exe 3924 4076 16 228 2018-08-04 19:29:51 UTC+0000
.. 0xfffffa801a635240:chrome.exe 3648 4076 16 207 2018-08-04 19:33:38 UTC+0000
.. 0xfffffa801a502b30:chrome.exe 576 4076 2 58 2018-08-04 19:29:31 UTC+0000
.. 0xfffffa801a4f7b30:chrome.exe 1808 4076 13 229 2018-08-04 19:29:32 UTC+0000
.. 0xfffffa801a7f98f0:chrome.exe 2748 4076 15 181 2018-08-04 19:31:15 UTC+0000
. 0xfffffa801b5cb740:LunarMS.exe 708 2728 18 346 2018-08-04 19:27:39 UTC+0000
. 0xfffffa801b1cdb30:vmtoolsd.exe 2804 2728 6 190 2018-08-04 19:27:06 UTC+0000
. 0xfffffa801b290b30:BitTorrent.exe 2836 2728 24 471 2018-08-04 19:27:07 UTC+0000
.. 0xfffffa801b4c9b30:bittorrentie.e 2624 2836 13 316 2018-08-04 19:27:21 UTC+0000
.. 0xfffffa801b4a7b30:bittorrentie.e 2308 2836 15 337 2018-08-04 19:27:19 UTC+0000
0xfffffa8018d44740:System 4 0 95 411 2018-08-04 19:26:03 UTC+0000
. 0xfffffa801947e4d0:smss.exe 260 4 2 30 2018-08-04 19:26:03 UTC+0000
0xfffffa801a2ed060:wininit.exe 396 336 3 78 2018-08-04 19:26:11 UTC+0000
. 0xfffffa801ab377c0:services.exe 492 396 11 242 2018-08-04 19:26:12 UTC+0000
.. 0xfffffa801afe7800:svchost.exe 1948 492 6 96 2018-08-04 19:26:42 UTC+0000
.. 0xfffffa801ae92920:vmtoolsd.exe 1428 492 9 313 2018-08-04 19:26:27 UTC+0000
... 0xfffffa801a572b30:cmd.exe 3916 1428 0 ------ 2018-08-04 19:34:22 UTC+0000
.. 0xfffffa801ae0f630:VGAuthService. 1356 492 3 85 2018-08-04 19:26:25 UTC+0000
.. 0xfffffa801abbdb30:vmacthlp.exe 668 492 3 56 2018-08-04 19:26:16 UTC+0000
.. 0xfffffa801aad1060:Lavasoft.WCAss 3496 492 14 473 2018-08-04 19:33:49 UTC+0000
.. 0xfffffa801a6af9f0:svchost.exe 164 492 12 147 2018-08-04 19:28:42 UTC+0000
.. 0xfffffa801ac2e9e0:svchost.exe 808 492 22 508 2018-08-04 19:26:18 UTC+0000
... 0xfffffa801ac753a0:audiodg.exe 960 808 7 151 2018-08-04 19:26:19 UTC+0000
.. 0xfffffa801ae7f630:dllhost.exe 1324 492 15 207 2018-08-04 19:26:42 UTC+0000
.. 0xfffffa801a6c2700:mscorsvw.exe 3124 492 7 77 2018-08-04 19:28:43 UTC+0000
.. 0xfffffa801b232060:sppsvc.exe 2500 492 4 149 2018-08-04 19:26:58 UTC+0000
.. 0xfffffa801abebb30:svchost.exe 712 492 8 301 2018-08-04 19:26:17 UTC+0000
.. 0xfffffa801ad718a0:svchost.exe 1164 492 18 312 2018-08-04 19:26:23 UTC+0000
.. 0xfffffa801ac31b30:svchost.exe 844 492 17 396 2018-08-04 19:26:18 UTC+0000
... 0xfffffa801b1fab30:dwm.exe 2704 844 4 97 2018-08-04 19:27:04 UTC+0000
.. 0xfffffa801988c2d0:PresentationFo 724 492 6 148 2018-08-04 19:27:52 UTC+0000
.. 0xfffffa801b603610:mscorsvw.exe 412 492 7 86 2018-08-04 19:28:42 UTC+0000
.. 0xfffffa8018e3c890:svchost.exe 604 492 11 376 2018-08-04 19:26:16 UTC+0000
... 0xfffffa8019124b30:WmiPrvSE.exe 1800 604 9 222 2018-08-04 19:26:39 UTC+0000
... 0xfffffa801b112060:WmiPrvSE.exe 2136 604 12 324 2018-08-04 19:26:51 UTC+0000
.. 0xfffffa801ad5ab30:spoolsv.exe 1120 492 14 346 2018-08-04 19:26:22 UTC+0000
.. 0xfffffa801ac4db30:svchost.exe 868 492 45 1114 2018-08-04 19:26:18 UTC+0000
.. 0xfffffa801a6e4b30:svchost.exe 3196 492 14 352 2018-08-04 19:28:44 UTC+0000
.. 0xfffffa801acd37e0:svchost.exe 620 492 19 415 2018-08-04 19:26:21 UTC+0000
.. 0xfffffa801b1e9b30:taskhost.exe 2344 492 8 193 2018-08-04 19:26:57 UTC+0000
.. 0xfffffa801ac97060:svchost.exe 1012 492 12 554 2018-08-04 19:26:20 UTC+0000
.. 0xfffffa801b3aab30:SearchIndexer. 3064 492 11 610 2018-08-04 19:27:14 UTC+0000
.. 0xfffffa801aff3b30:msdtc.exe 1436 492 14 155 2018-08-04 19:26:43 UTC+0000
. 0xfffffa801ab3f060:lsass.exe 500 396 7 610 2018-08-04 19:26:12 UTC+0000
. 0xfffffa801ab461a0:lsm.exe 508 396 10 148 2018-08-04 19:26:12 UTC+0000
0xfffffa801a0c8380:csrss.exe 348 336 9 563 2018-08-04 19:26:10 UTC+0000
. 0xfffffa801a6643d0:conhost.exe 2420 348 0 30 2018-08-04 19:34:22 UTC+0000
0xfffffa80198d3b30:csrss.exe 388 380 11 460 2018-08-04 19:26:11 UTC+0000
0xfffffa801aaf4060:winlogon.exe 432 380 3 113 2018-08-04 19:26:11 UTC+0000
0xfffffa801b18f060:WebCompanionIn 3880 1484 15 522 2018-08-04 19:33:07 UTC+0000
. 0xfffffa801aa72b30:sc.exe 3504 3880 0 ------ 2018-08-04 19:33:48 UTC+0000
. 0xfffffa801aeb6890:sc.exe 452 3880 0 ------ 2018-08-04 19:33:48 UTC+0000
. 0xfffffa801a6268b0:WebCompanion.e 3856 3880 15 386 2018-08-04 19:34:05 UTC+0000
. 0xfffffa801b08f060:sc.exe 3208 3880 0 ------ 2018-08-04 19:33:47 UTC+0000
. 0xfffffa801ac01060:sc.exe 2028 3880 0 ------ 2018-08-04 19:33:49 UTC+0000
0xfffffa801b1fd960:notepad.exe 3304 3132 2 79 2018-08-04 19:34:10 UTC+0000
|
Here are suspicious processes:
- “Rick and Morty”
- vmware-tray.exe
- WebCompanion.exe
- LunarMS.exe
After some internet research, LunarMS appears to be the best candidate. Good!
CTF{LunarMS}
Game IP
Now I got the process name, find the associated IP will be easy. Indeed, netscan plugin used previously is also showing IP address associated to processes.
1
2
3
4
| $ cat pnetscan | grep LunarMS
0x7d6124d0 TCPv4 192.168.202.131:49530 77.102.199.102:7575 CLOSED 708 LunarMS.exe
0x7e413a40 TCPv4 -:0 -:0 CLOSED 708 LunarMS.exe
0x7e521b50 TCPv4 -:0 -:0 CLOSED 708 LunarMS.exe
|
The only IP address comes out:
CTF{77.102.199.102}
4 - Name Game
We know the game, then we know its PID. We got a string, I will use it as search index: Lunar-3.
A volatility plugin that I like a lot is yarascan, it’s like a grep, but better for a memory dump. It’s possible to look for patterns with regular expression or just looking for standard strings. For this challenge, I will only look for standard strings in the game process:
1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
| $ vol.py --plugins=plug_vol/ -f usr_land/OtterCTF.vmem --profile=Win7SP1x64 yarascan --yara-rules="Lunar-3" -p 708
Volatility Foundation Volatility Framework 2.6.1
Rule: r1
Owner: Process LunarMS.exe Pid 708
0x5a0c1070 4c 75 6e 61 72 2d 33 00 00 7a 33 00 00 00 00 00 Lunar-3..z3.....
0x5a0c1080 00 1d 00 00 00 01 00 00 00 0b 00 00 00 0b 00 00 ................
0x5a0c1090 00 30 74 74 33 72 38 72 33 33 7a 33 00 00 00 00 .0tt3r8r33z3....
0x5a0c10a0 00 00 1d 00 00 00 01 00 00 00 0d 00 00 00 0d 00 ................
0x5a0c10b0 00 00 53 6f 75 6e 64 2f 55 49 2e 69 6d 67 2f 00 ..Sound/UI.img/.
0x5a0c10c0 00 00 00 1d 00 00 00 01 00 00 00 0c 00 00 00 0c ................
0x5a0c10d0 00 00 00 42 74 4d 6f 75 73 65 43 6c 69 63 6b 00 ...BtMouseClick.
0x5a0c10e0 00 00 00 00 1d 00 00 00 01 00 00 00 07 00 00 00 ................
0x5a0c10f0 07 00 00 00 4c 75 6e 61 72 2d 34 00 00 00 00 00 ....Lunar-4.....
0x5a0c1100 00 00 00 00 00 1d 00 00 00 01 00 00 00 07 00 00 ................
0x5a0c1110 00 07 00 00 00 4c 75 6e 61 72 2d 31 00 00 00 00 .....Lunar-1....
0x5a0c1120 00 00 00 00 00 00 1d 00 00 00 01 00 00 00 07 00 ................
0x5a0c1130 00 00 07 00 00 00 4c 75 6e 61 72 2d 32 00 00 7a ......Lunar-2..z
0x5a0c1140 00 00 00 00 00 00 00 1d 00 00 00 01 00 00 00 08 ................
0x5a0c1150 00 00 00 08 00 00 00 53 63 72 6f 6c 6c 55 70 00 .......ScrollUp.
0x5a0c1160 00 00 00 00 00 00 00 00 1d 00 00 00 01 00 00 00 ................
|
The leet speak string looks like a flag ;)
CTF{0tt3r8r33z3}
5 - Name Game 2
In this case, I will use custom yara rules. The statement does not give strings, just a pattern: 0x64 0x??{6-8} 0x40 0x06 0x??{18} 0x5a 0x0c 0x00{2}
To find this pattern in memory, I just have to do a custom rule, here is my otterrule.yar file:
1
2
3
4
5
6
7
8
9
10
| rule OtterCTF
{
meta:
desc = "OtterCTF"
weight = 10
strings:
$a = {?? [6-8] 40 06 [18] 5a 0c 00 00}
condition:
$a
}
|
Still filtering on the same PID, just add our rule file to the filter:
1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
| $ vol.py --plugins=plug_vol/ -f usr_land/OtterCTF.vmem --profile=Win7SP1x64 yarascan -y usr_land/otterrule.ya -p 708
Volatility Foundation Volatility Framework 2.6.1
Rule: OtterCTF
Owner: Process LunarMS.exe Pid 708
0x5ab4dfa7 08 44 64 00 00 00 00 00 00 40 06 00 00 b4 e5 af .Dd......@......
0x5ab4dfb7 00 01 00 00 00 00 00 00 00 b0 e5 af 00 5a 0c 00 .............Z..
0x5ab4dfc7 00 4d 30 72 74 79 4c 30 4c 00 00 00 00 00 00 00 .M0rtyL0L.......
0x5ab4dfd7 21 4e 00 00 55 75 00 00 00 00 00 00 00 00 00 00 !N..Uu..........
0x5ab4dfe7 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 ................
0x5ab4dff7 b4 10 95 6f d5 cd 66 36 66 36 b4 ab ee fa a4 73 ...o..f6f6.....s
0x5ab4e007 9f 70 f2 ab 6e ba 3a c4 3f c4 3c ac ee 25 ac d9 .p..n.:.?.<..%..
0x5ab4e017 a8 d9 60 ac 6e a0 d6 25 d2 25 a8 ab ee ee e1 aa ..`.n..%.%......
0x5ab4e027 d2 a2 29 ac 2e 9b d1 5e f4 57 d8 ab 2e 27 86 01 ..)....^.W...'..
0x5ab4e037 7c 07 87 ab ee 0a e8 5f 12 59 d7 ab 6e 31 96 49 |......_.Y..n1.I
0x5ab4e047 96 49 cb ab ee 9e dd e6 dd e6 6a ac 2e 2c 12 bd .I........j..,..
0x5ab4e057 3e 25 1f 03 6d 29 87 9d 69 26 f8 4a f8 4a cb ab >%..m)..i&.J.J..
0x5ab4e067 6e ad 60 35 ef a2 01 c2 38 65 2c d8 fa cd e4 f8 n.`5....8e,.....
0x5ab4e077 90 31 c7 87 8c 21 0e 70 e6 6d 78 20 af 00 00 00 .1...!.p.mx.....
0x5ab4e087 00 00 00 00 00 00 00 00 00 00 00 00 00 00 5e 81 ..............^.
0x5ab4e097 ee 8f 7c 6a 4e 74 06 86 f8 0d 06 00 00 00 00 00 ..|jNt..........
[...]
|
Great, it works well!
CTF{M0rtyL0L}
6 - Silly Rick
This challenge will use a standard volatility plugin: clipboard. This plugin will get the clipboard content at dump time:
1
2
3
4
5
6
7
8
9
10
| $ vol.py --plugins=plug_vol/ -f usr_land/OtterCTF.vmem --profile=Win7SP1x64 clipboard
Volatility Foundation Volatility Framework 2.6.1
Session WindowStation Format Handle Object Data
---------- ------------- ------------------ ------------------ ------------------ --------------------------------------------------
1 WinSta0 CF_UNICODETEXT 0x602e3 0xfffff900c1ad93f0 M@il_Pr0vid0rs
1 WinSta0 CF_TEXT 0x10 ------------------
1 WinSta0 0x150133L 0x200000000000 ------------------
1 WinSta0 CF_TEXT 0x1 ------------------
1 ------------- ------------------ 0x150133 0xfffff900c1c1adc0
|
EZ Win :D
CTF{M@il_Pr0vid0rs}
7 - Hide and Seek
It’s starting to get interesting: malware. For this challenge, it’s better not to go wrong.
A needle in a haystack
If we get processes tree, we can notify some strange things:
- A “Rick and Morty” process, that has a child process ;
- Lavasoft process ;
- BitTorrent processes ;
- WebCompanion ;
- Notepad.exe which hasn’t got parent process.
Remember, a malware can have any name. It’s better to look at the parents/child processes.
Malware, is that you?
I’m going to start with my first hypothesis: the Rick and Morty process and his child, vmware-tray.exe.
The first step, extract binaries:
1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
| $ vol.py --plugins=plug_vol/ -f usr_land/OtterCTF.vmem --profile=Win7SP1x64 procdump -p 3820 -D .
Volatility Foundation Volatility Framework 2.6.1
Process(V) ImageBase Name Result
------------------ ------------------ -------------------- ------
0xfffffa801b486b30 0x0000000000400000 Rick And Morty OK: executable.3820.exe
$ vol.py --plugins=plug_vol/ -f usr_land/OtterCTF.vmem --profile=Win7SP1x64 procdump -p 3720 -D .
Volatility Foundation Volatility Framework 2.6.1
Process(V) ImageBase Name Result
------------------ ------------------ -------------------- ------
0xfffffa801a4c5b30 0x0000000000ec0000 vmware-tray.ex OK: executable.3720.exe
$ mv executable.3820.exe rickandmorty.exe
$ mv executable.3720.exe vmware-tray.exe
|
Now a little visit on virustotal, to see the score of those two rogues. First, rickandmorty.exe:
Well, 4/68 it’s not really huge, probably a false positive. What Virustotal says about vmware-tray.exe:
Great! Better results! It smells the malware :D
And it is:
CTF{vmware-tray.exe}
8 - Path to glory
According to running processes, I suppose the awful habits of Rick, are the illegal downloads on BitTorrent
Let’s try to find what he downloaded:
1
2
3
4
5
6
7
8
9
10
11
| $ vol.py --plugins=plug_vol/ -f usr_land/OtterCTF.vmem --profile=Win7SP1x64 filescan > pfilescan
$ cat pfilescan | grep -i torrent
[...]
0x000000007d63dbc0 10 0 R--r-d \Device\HarddiskVolume1\Torrents\Rick And Morty season 1 download.exe
0x000000007d8813c0 2 0 RW-rwd \Device\HarddiskVolume1\Users\Rick\Downloads\Rick And Morty season 1 download.exe.torrent
0x000000007da56240 2 0 RW-rwd \Device\HarddiskVolume1\Torrents\Rick And Morty season 1 download.exe
0x000000007dae9350 2 0 RWD--- \Device\HarddiskVolume1\Users\Rick\AppData\Roaming\BitTorrent\Rick And Morty season 1 download.exe.1.torrent
0x000000007dcbf6f0 2 0 RW-rwd \Device\HarddiskVolume1\Users\Rick\AppData\Roaming\BitTorrent\Rick And Morty season 1 download.exe.1.torrent
0x000000007e710070 8 0 R--rwd \Device\HarddiskVolume1\Torrents\Rick And Morty season 1 download.exe
[...]
|
There is a bunch of suspicious files. I first tried to extract Rick And Morty season 1 download.exe file but nothing really relevant inside for our problem:
1
2
3
4
5
| $ vol.py --plugins=plug_vol/ -f usr_land/OtterCTF.vmem --profile=Win7SP1x64 dumpfiles -Q 0x000000007e710070 -D .
Volatility Foundation Volatility Framework 2.6.1
ImageSectionObject 0x7e710070 None \Device\HarddiskVolume1\Torrents\Rick And Morty season 1 download.exe
DataSectionObject 0x7e710070 None \Device\HarddiskVolume1\Torrents\Rick And Morty season 1 download.exe
|
Let’s do the same operation on the torrent file:
1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
| $ vol.py --plugins=plug_vol/ -f usr_land/OtterCTF.vmem --profile=Win7SP1x64 dumpfiles -Q 0x000000007dae9350 -D .
Volatility Foundation Volatility Framework 2.6.1
DataSectionObject 0x7dae9350 None \Device\HarddiskVolume1\Users\Rick\AppData\Roaming\BitTorrent\Rick And Morty season 1 download.exe.1.torrent
$ strings file.None.0xfffffa801b42c9e0.dat
d8:announce44:udp://tracker.openbittorrent.com:80/announce13:announce-listll44:udp://tracker.openbittorrent.com:80/announceel42:udp://tracker.opentrackr.org:1337/announceee10:created by17:BitTorrent/7.10.313:creation datei1533150595e8:encoding5:UTF-84:infod6:lengthi456670e4:name36:Rick And Morty season 1 download.exe12:piece lengthi16384e6:pieces560:\I
!PC<^X
B.k_Rk
0<;O87o
!4^"
3hq,
&iW1|
K68:o
w~Q~YT
$$o9p
bwF:u
e7:website19:M3an_T0rren7_4_R!cke
|
Yay, it works!
CTF{M3an_T0rren7_4_R!ck}
9 - Path to glory 2
Honestly, with a good friend, we just guessed this flag, it’s insane.
He sent me this message: “Hey bro, try to find the string ‘Th3’ inside memory!”
Ok, but we can add more filter to be more efficient. The torrent file doesn’t come by a magic trick. Rick downloaded it with his favorite browser: Chrome.
Then I search the string “Th3” into Chrome processes:
1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
| $ vol.py --plugins=plug_vol/ -f usr_land/OtterCTF.vmem --profile=Win7SP1x64 yarascan --yara-rules="Th3" -p 3924
[...]
Volatility Foundation Volatility Framework 2.6.1
Rule: r1
Owner: Process chrome.exe Pid 3924
0x6203ba714dd 5f 54 68 33 5f 57 65 61 6b 33 73 37 5f 4c 69 6e _Th3_Weak3s7_Lin
0x6203ba714ed 6b 5f 49 6e 5f 54 68 33 5f 43 68 40 69 6e 59 65 k_In_Th3_Ch@inYe
0x6203ba714fd 61 72 00 00 00 06 20 3b a7 0f 50 51 46 e2 0d 2f ar.....;..PQF../
0x6203ba7150d 2f 73 65 63 2d 73 2e 75 69 63 64 6e 2e 63 6f 6d /sec-s.uicdn.com
0x6203ba7151d 2f 6e 61 76 2d 63 64 6e 2f 68 6f 6d 65 2f 70 72 /nav-cdn/home/pr
0x6203ba7152d 65 6c 6f 61 64 65 72 2e 67 69 66 00 00 06 20 3b eloader.gif....;
0x6203ba7153d a7 16 18 00 00 00 02 6e 00 61 00 76 00 69 00 67 .......n.a.v.i.g
0x6203ba7154d 00 61 00 74 00 6f 00 72 00 2d 00 6c 00 78 00 61 .a.t.o.r.-.l.x.a
0x6203ba7155d 00 2e 00 6d 00 61 00 69 00 6c 00 2e 00 63 00 6f ...m.a.i.l...c.o
0x6203ba7156d 00 6d 00 01 00 00 00 16 00 00 00 00 00 00 62 6e .m............bn
0x6203ba7157d 00 61 00 76 00 69 00 67 00 61 00 74 00 6f 00 72 .a.v.i.g.a.t.o.r
0x6203ba7158d 00 2d 00 6c 00 78 00 61 00 2e 00 6d 00 61 00 69 .-.l.x.a...m.a.i
0x6203ba7159d 00 6c 00 2e 00 63 00 6f 00 6d 00 04 00 00 00 2a .l...c.o.m.....*
0x6203ba715ad 00 00 00 4f ac c4 0e 73 69 6d 70 6c 65 2d 69 63 ...O...simple-ic
0x6203ba715bd 6f 6e 5f 74 6f 6f 6c 62 61 72 2d 63 68 61 6e 67 on_toolbar-chang
0x6203ba715cd 65 2d 76 69 65 77 2d 68 6f 72 69 7a 6f 6e 74 61 e-view-horizonta
[...]
|
Ok, I got a piece of something, maybe of the flag:
_Th3_Weak3s7_Link_In_Th3_Ch@inYear
Let’s extract memory from process 3924 and see what happens. To look into memory dump, I’m using a good old strings and grep / less command.
1
2
3
4
5
6
7
8
9
| $ vol.py --plugins=plug_vol/ -f usr_land/OtterCTF.vmem --profile=Win7SP1x64 memdump -p 3924 -D .
Volatility Foundation Volatility Framework 2.6.1
************************************************************************
Writing chrome.exe [ 3924] to 3924.dmp
$ strings 3924.dmp| grep Weak3s7_Link_In
Hum@n_I5_Th3_Weak3s7_Link_In_Th3_Ch@inYear
[...]
|
And the flag is:
CTF{Hum@n_I5_Th3_Weak3s7_Link_In_Th3_Ch@in}
10 - Bit 4 Bit
If all scenario steps are followed, finding the wallet will be easy. The malware is known: vmware-tray.exe. We suspect that the wallet is embedded in the malicious binary:
1
2
3
4
5
6
7
8
9
10
11
12
| $ strings -e l vmware-tray.exe
[...]
label2
Your Payment has failed, The funs have been sent back to your wallet. Please send it again
Error
1MmpEmebJkqXG8nQv4cjJSmxZQFVmFo63M
Send 0.16 to the address below.
I paid, Now give me back my files.
Form3
hidden_tear.Properties.Resources
Bitcoin_Accepted_Here-4800px
[...]
|
The flag is:
CTF{1MmpEmebJkqXG8nQv4cjJSmxZQFVmFo63M}
11 - Graphic’s for the Weak
Like the previous challenge, we already identified the malware. So if the malware deal with a picture, there are two possibilities:
- The picture is embedded in the malware
- The malware will download the picture
There is an easy way to check the first hypothesis, use a carving software like binwalk, foremost or whatever.
1
2
3
4
5
6
7
8
9
10
11
12
| $ binwalk vmware-tray.exe
DECIMAL HEXADECIMAL DESCRIPTION
--------------------------------------------------------------------------------
0 0x0 Microsoft executable, portable (PE)
9178 0x23DA Copyright string: "CopyrightAttribute"
116288 0x1C640 PNG image, 4800 x 1454, 8-bit/color RGBA, non-interlaced
116416 0x1C6C0 Zlib compressed data, compressed
344098 0x54022 PNG image, 800 x 600, 8-bit colormap, non-interlaced
344511 0x541BF Zlib compressed data, best compression
420575 0x66ADF XML document, version: "1.0"
423178 0x6750A Unix path: /schemas.microsoft.com/SMI/2005/WindowsSettings">true</dpiAware>
|
We can see two PNG files, let’s try to extract them with foremost. I’m using foremost instead of binwalk to extract data because files extracted by foremost are much cleaner:
1
2
3
4
5
6
| $ foremost vmware-tray.exe
Processing: vmware-tray.exe
|*|
$ file output/png/00000672.png
output/png/00000672.png: PNG image data, 800 x 600, 8-bit colormap, non-interlaced
|
CTF{S0_Just_M0v3_Socy}
12 - Recovery
I didn’t manage to solve those two last challenges during the CTF time. But there are very interesting, I had a lot of fun solving them.
To find the encryption key, I have to reverse the malware. I want to find out how the key is generated and how the key is sent to the command and control server. Fortunately, the malware was developed with .NET language:
1
2
| $ file vmware-tray.exe
vmware-tray.exe: PE32 executable (GUI) Intel 80386 Mono/.Net assembly, for MS Windows
|
.NET languages can be decompiled easily with tools like ILSPy. The less I’m seeing assembly better I am! :D
I quickly identified the function SendPassword.
Now that I’ve been achieving to find how the key is sent, I can search the pattern in the memory dump:
1
2
| $ strings -e l OtterCTF.vmem| grep "WIN-LO6FAF3DTFE-Rick "
WIN-LO6FAF3DTFE-Rick aDOBofVYUNVnmp7
|
CTF{aDOBofVYUNVnmp7}
13 - Closure
While I was looking for the method that sent the key to the command and control server, I saw a name that caught my attention: HiddenTears.
HiddenTears is ransomware available on GitHub since 2015. Some little jerks use this GitHub to do new strains. But it means HiddenTears decrypter is available on the internet, even on the GitHub.
Decrypter: https://github.com/goliate/hidden-tear/tree/master/hidden-tear-decrypter
Firstly, get the file which contains the flag:
1
2
3
4
5
6
7
8
9
| $ cat pfilescan | grep -i flag
0x000000007d61b070 16 0 RW-rw- \Device\HarddiskVolume1\Users\Rick\AppData\Roaming\Microsoft\Windows\Recent\Flag.txt.WINDOWS.lnk
0x000000007e410890 16 0 R--r-- \Device\HarddiskVolume1\Users\Rick\Desktop\Flag.txt
$ vol.py --plugins=plug_vol/ -f usr_land/OtterCTF.vmem --profile=Win7SP1x64 dumpfiles -Q 0x000000007e410890 -D .
Volatility Foundation Volatility Framework 2.6.1
DataSectionObject 0x7e410890 None \Device\HarddiskVolume1\Users\Rick\Desktop\Flag.txt
|
So, now we got a decryption key, an encrypted file, and a decrypter. It sounds good ;)
… Or not, there is a little problem in the “Flag.txt” file that has been extracted:
1
2
3
4
5
6
7
8
| $ hexdump -C Flag.txt
00000000 7b e6 24 56 9e 5c 0f ef 8e 43 28 f7 e4 c5 83 ff |{.$V.\...C(.....|
00000010 6c 31 d7 e6 1c da ea 54 cf 72 dd d6 ec 7e b0 7b |l1.....T.r...~.{|
00000020 c6 8d d0 a8 cc c2 ce 6e 3e ee 03 47 c1 0b b3 e8 |.......n>..G....|
00000030 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 |................|
*
00001000
|
There is a little mistake about padding, is there a bunch of zero at the end of the file. It probably happens during file extraction from memory.
When the file is lightened of its 0 and renamed with ‘.locked’ extension, it’s decryption time:
CTF{Im_Th@_B3S7_RicK_0f_Th3m_4ll}
