The Defcon 2019 memory forensics challenge was a great way to practice memory analysis. It also provides a good opportunity in bridging a case together by using different sources.
Walkthrough
Information
Category Name:
Defcon2019: Memory Forensics
Files:
Defcon2019: Triage-Memory.mem 5.0 GB
Download it from the CTF and verify the file with sha1sum:
md5 /path/to/Triage-Memory.mem
MD5: c0c80a06ad336a6e20d42c895a0e067f
After verification, share the folder where Triage-Memory.mem is, with your VM.
This is my personal preference, I like being organized and deleting a folder when I’m done with it .
mkdir Documents/defcon19/memory
Volatility is all you need to solve this category:
vol.py -h
If this doesn’t work, then install it following these instructions.
1. get your volatility on - 5 pts
What is the SHA1 hash of triage.mem?
sha1sum /mnt/hgfs/mem/Triage-Memory.mem
Answer:flag<c95e8cc8c946f95a109ea8e47a6800de10a27abd>
2. pr0file - 10 pts
What profile is the most appropriate for this machine? (ex: Win10x86_14393)
vol.py -f /mnt/hgfs/mem/Triage-Memory.mem imageinfo
Usually, the first one works:
Answer:flag<Win7SP1x64>
3. hey, write this down - 12 pts
What was the process ID of notepad.exe?
vol.py -f /mnt/hgfs/mem/Triage-Memory.mem --profile=Win7SP1x64 pslist | grep "notepad.exe"
By redirecting the output to grep, there is no need to look through al processes, given the above, the Process ID (PID) is 3032.
Answer: flag<3032>
4. wscript can haz children - 14 pts
Name the child processes of wscript.exe.
vol.py -f /mnt/hgfs/mem/Triage-Memory.mem --profile=Win7SP1x64 pstree
We can see that wscript.exe has a child process: UWkpjFjDzM.exe, which in turn also has a child process: cmd.exe
Answer: flag<UWkpjFjDzM.exe>
5. tcpip settings - 18 pts
What was the IP address of the machine at the time the RAM dump was created?
In question 1, the imageinfo plugin displayed the date and time of the image – 2019-03-22 05:46:00 UTC+0000. To find the IP address of the machine, we can use the netscan plugin:
vol.py -f /mnt/hgfs/mem/Triage-Memory.mem --profile=Win7SP1x64 netscan
Answer: flag<10.0.0.101>
6. intel - 18 pts
Based on the answer regarding to the infected PID, can you determine what the IP of the attacker was?
vol.py -f /mnt/hgfs/mem/Triage-Memory.mem --profile=Win7SP1x64 netscan
Using the same plug-in as before, there is an IP address on the 4444 Listening port, which is Metasploit’s default port!
Answer:flag<10.0.0.106>
7. i <3 windows dependencies - 20 pts
What process name is VCRUNTIME140.dll associated with?
vol.py -f /mnt/hgfs/mem/Triage-Memory.mem --profile=Win7SP1x64 dlllist
The output for this command is massive, so using “Find” to look for VCRUNTIME140.dll shows it’s associated with Office16, however it’s also associated with ‘OfficeClickToRun.exe’, the process name is “OfficeClickToR” (as seen on the first line of the output):
Answer: flag<OfficeClickToR>
8. mal-ware-are-you - 20 pts
What is the md5 hash value the potential malware on the system?
The potential malware, is the executable from question 4, which has a pid of 3496. Using the dump command to extract it:
vol.py -f /mnt/hgfs/mem/Triage-Memory.mem --profile=Win7SP1x64 procdump -D ./ -p 3496
Then, using the md5sum on the dumped executable to find its hash value:
md5sum executable.3496.exe
Answer: flag<690ea20bc3bdfb328e23005d9a80c290>
9. lm-get bobs hash - 24 pts
What is the LM hash of bobs account?
vol.py -f /mnt/hgfs/mem/Triage-Memory.mem --profile=Win7SP1x64 hashdump
This is the fastest way to get a LM hash for all Users on the machine:
Answer: flag<aad3b435b51404eeaad3b435b51404ee>
10. vad the impaler - 25 pts
What protections does the VAD node at 0xfffffa800577ba10 have?
vol.py -f /mnt/hgfs/mem/Triage-Memory.mem --profile=Win7SP1x64 vadinfo | grep "0xfffffa800577ba10" -A 10
Open the Basic_info table and you will see that macOS Version is 10.15
Answer:flag<PAGE_READONLY>
11. more vads?! - 25 pts
What protections did the VAD starting at 0x00000000033c0000 and ending at 0x00000000033dffff have?
vol.py -f /mnt/hgfs/mem/Triage-Memory.mem --profile=Win7SP1x64 vadinfo | grep "0x00000000033c0000" -A 10
This outputs several VAD nodes starting at 0x00000000033c0000, but only one ending at 0x00000000033dffff:
Answer: flag<PAGE_NOACCESS>
12. vacation bible school - 25 pts
There was a VBS script run on the machine. What is the name of the script? (submit without file extension)
vol.py -f /mnt/hgfs/mem/Triage-Memory.mem --profile=Win7SP1x64 cmdline
The cmdline plug-in shows everything, but, look what we got here!!!
Process ID of the .vbs script is the parent process of the malware!!
Answer: flag<vhjReUDEuumrX>
13. thx microsoft - 25 pts
An application was run at 2019-03-07 23:06:58 UTC, what is the name of the program? (Include extension)
vol.py -f /mnt/hgfs/mem/Triage-Memory.mem --profile=Win7SP1x64 timeliner | grep "2019-03-07 23:06:58" -B 5 -A 5
This process is slow, so I recommend working on the next questions while it’s at work, but here’s the grepped output!
Answer: flag<Skype.exe>
14. lightbulb moment - 35 pts
What was written in notepad.exe in the time of the memory dump?
First things first, we need the PID of notepad.exe. Question 3 already asked us about it, it’s 3032.
To find the contents, I followed these instructions. There are other ways to do it, but this worked well for me. It will basically dump everything related to notepad.exe. To make it easily searchable, we string each file in the directory and direct the output to a single text file:
mkdir vads
vol.py -f /mnt/hgfs/mem/Triage-Memory.mem --profile=Win7SP1x64 vaddump -p 3032 -D vads
strings -e l vads/* > vadsall.txt
In memory, we can look for contents of notepad files by searching for this string:
“Would you like to save the %% file non-transactionally?”
grep "Would you like to save" -A 10 vadsall.txt
There are two matches, and the second one contains the flag!
Answer: flag<REDBULL_IS_LIFE>
15. 8675309 - 35 pts
What is the shortname of the file at file record 59045?
vol.py -f /mnt/hgfs/mem/Triage-Memory.mem --profile=Win7SP1x64 mftparser > mft.dmp
strings mft.dmp | grep "Record Number: 59045" -B 10 -A 20
The first $File_Name entry is the short name of the file: EMPLOY~1.xls
Answer: flag<EMPLOY~1.XLS>
16. whats-a-metasploit? - 50 pts
This box was exploited and is running meterpreter. What PID was infected?
Submitting the md5 hash (from question 8) to Virustotal confirms the executable is a Trojan virus. The affected PID is 3496!
Answer:flag<3496>
TLDR
– Volatility 2 is the only tool needed.
